Date: Thu, 30 Nov 2017 11:35:16 +0200 From: Ariel Zelivansky <ariel.zelivans@...il.com> To: oss-security@...ts.openwall.com Subject: Re: CVE-2017-1000405: Linux kernel - "Dirty COW" variant on transparent huge pages Great discovery and writeup. I looked into the latest kernel release (v4.15-rc1) from 3 days ago and it doesn't seem to include the committed patch. Am I missing anything? On Thu, Nov 30, 2017 at 2:32 AM, Bindecy <contact@...decy.com> wrote: > Hello, > > This is a brief overview of the vulnerability, more details are available > in the post referenced in the GitHub link. > > > ==== Summary ==== > > In the "Dirty COW" vulnerability patch (CVE-2016-5195), > can_follow_write_pmd() was changed to take into account the new FOLL_COW > flag (8310d48b125d "mm/huge_memory.c: respect FOLL_FORCE/FOLL_COW for thp"). > > We noticed a problematic use of pmd_mkdirty() in the touch_pmd() function. > > touch_pmd() can be reached by get_user_pages(). In such case, the pmd will > become dirty. This scenario breaks the new can_follow_write_pmd()'s logic - > pmd can become dirty without going through a COW cycle - which makes > writing on read-only transparent huge pages possible. > > This bug is not as severe as the original "Dirty cow" because an ext4 file > (or any other regular file) cannot be mapped using THP. Nevertheless, it > does allow us to overwrite read-only huge pages. For example, the zero huge > page and sealed shmem files can be overwritten (since their mapping can be > populated using THP). Note that after the first write page-fault to the > zero page, it will be replaced with a new fresh (and zeroed) thp. > > Using this primitive, we successfully crashed several processes. A likely > consequence of overwriting the huge zero page is having improper initial > values inside large BSS sections. Common vulnerable pattern would be using > the zero value as an indicator that a global variable hasn't been > initialized yet. > > Potentially, privileged processes using the mentioned pattern are > exploitable. > > > ===== POC ===== > > The POC overwrites the zero-page of the system. > > POC source on GitHub: https://github.com/bindecy/HugeDirtyCowPOC > > > ===== Affected Versions ===== > > The POC was tested on Ubuntu 17.04 with kernel 4.10 and Fedora 27 with > kernel 4.13. Every kernel version with THP support and the Dirty COW patch > should be vulnerable (2.6.38 - 4.14). > > RHEL claimed by the vendor as not affected. > > Fixed on Nov 27, 2017: > https://github.com/torvalds/linux/commit/a8f97366452ed491d13cf1e44241bc0b5740b1f0 > > > ===== Timeline ===== > > 22.11.17 — Initial report to security@...nel.org and > linux-distros@...openwall.org > > 22.11.17 — CVE-2017–1000405 was assigned > > 27.11.17 — Patch was committed to mainline kernel > > 29.11.17 — Public announcement > > > ===== Credit ===== > > Eylon Ben Yaakov and Daniel Shapiro from Bindecy
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ