Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 30 Nov 2017 11:35:16 +0200
From: Ariel Zelivansky <ariel.zelivans@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2017-1000405: Linux kernel - "Dirty COW"
 variant on transparent huge pages

Great discovery and writeup. I looked into the latest kernel release
(v4.15-rc1) from 3 days ago and it doesn't seem to include the
committed patch. Am I missing anything?

On Thu, Nov 30, 2017 at 2:32 AM, Bindecy <contact@...decy.com> wrote:
> Hello,
>
> This is a brief overview of the vulnerability, more details are available
> in the post referenced in the GitHub link.
>
>
> ==== Summary ====
>
> In the "Dirty COW" vulnerability patch (CVE-2016-5195),
> can_follow_write_pmd() was changed to take into account the new FOLL_COW
> flag (8310d48b125d "mm/huge_memory.c: respect FOLL_FORCE/FOLL_COW for thp").
>
> We noticed a problematic use of pmd_mkdirty() in the touch_pmd() function.
>
> touch_pmd() can be reached by get_user_pages(). In such case, the pmd will
> become dirty. This scenario breaks the new can_follow_write_pmd()'s logic -
> pmd can become dirty without going through a COW cycle - which makes
> writing on read-only transparent huge pages possible.
>
> This bug is not as severe as the original "Dirty cow" because an ext4 file
> (or any other regular file) cannot be mapped using THP. Nevertheless, it
> does allow us to overwrite read-only huge pages. For example, the zero huge
> page and sealed shmem files can be overwritten (since their mapping can be
> populated using THP). Note that after the first write page-fault to the
> zero page, it will be replaced with a new fresh (and zeroed) thp.
>
> Using this primitive, we successfully crashed several processes. A likely
> consequence of overwriting the huge zero page is having improper initial
> values inside large BSS sections. Common vulnerable pattern would be using
> the zero value as an indicator that a global variable hasn't been
> initialized yet.
>
> Potentially, privileged processes using the mentioned pattern are
> exploitable.
>
>
> ===== POC =====
>
> The POC overwrites the zero-page of the system.
>
> POC source on GitHub: https://github.com/bindecy/HugeDirtyCowPOC
>
>
> ===== Affected Versions =====
>
> The POC was tested on Ubuntu 17.04 with kernel 4.10 and Fedora 27 with
> kernel 4.13. Every kernel version with THP support and the Dirty COW patch
> should be vulnerable (2.6.38 - 4.14).
>
> RHEL claimed by the vendor as not affected.
>
> Fixed on Nov 27, 2017:
> https://github.com/torvalds/linux/commit/a8f97366452ed491d13cf1e44241bc0b5740b1f0
>
>
> ===== Timeline =====
>
> 22.11.17 — Initial report to security@...nel.org and
> linux-distros@...openwall.org
>
> 22.11.17 — CVE-2017–1000405 was assigned
>
> 27.11.17 — Patch was committed to mainline kernel
>
> 29.11.17 — Public announcement
>
>
> ===== Credit =====
>
> Eylon Ben Yaakov and Daniel Shapiro from Bindecy

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ