Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CANatu-ZvJwPtHyYKMzpPT7ovMOR=VNYo4kCHnTEtNGpuj3ELHA@mail.gmail.com>
Date: Thu, 30 Nov 2017 02:32:37 +0200
From: Bindecy <contact@...decy.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2017-1000405: Linux kernel - "Dirty COW" variant on transparent
 huge pages

Hello,

This is a brief overview of the vulnerability, more details are available
in the post referenced in the GitHub link.


==== Summary ====

In the "Dirty COW" vulnerability patch (CVE-2016-5195),
can_follow_write_pmd() was changed to take into account the new FOLL_COW
flag (8310d48b125d "mm/huge_memory.c: respect FOLL_FORCE/FOLL_COW for thp").

We noticed a problematic use of pmd_mkdirty() in the touch_pmd() function.

touch_pmd() can be reached by get_user_pages(). In such case, the pmd will
become dirty. This scenario breaks the new can_follow_write_pmd()'s logic -
pmd can become dirty without going through a COW cycle - which makes
writing on read-only transparent huge pages possible.

This bug is not as severe as the original "Dirty cow" because an ext4 file
(or any other regular file) cannot be mapped using THP. Nevertheless, it
does allow us to overwrite read-only huge pages. For example, the zero huge
page and sealed shmem files can be overwritten (since their mapping can be
populated using THP). Note that after the first write page-fault to the
zero page, it will be replaced with a new fresh (and zeroed) thp.

Using this primitive, we successfully crashed several processes. A likely
consequence of overwriting the huge zero page is having improper initial
values inside large BSS sections. Common vulnerable pattern would be using
the zero value as an indicator that a global variable hasn't been
initialized yet.

Potentially, privileged processes using the mentioned pattern are
exploitable.


===== POC =====

The POC overwrites the zero-page of the system.

POC source on GitHub: https://github.com/bindecy/HugeDirtyCowPOC


===== Affected Versions =====

The POC was tested on Ubuntu 17.04 with kernel 4.10 and Fedora 27 with
kernel 4.13. Every kernel version with THP support and the Dirty COW patch
should be vulnerable (2.6.38 - 4.14).

RHEL claimed by the vendor as not affected.

Fixed on Nov 27, 2017:
https://github.com/torvalds/linux/commit/a8f97366452ed491d13cf1e44241bc0b5740b1f0


===== Timeline =====

22.11.17 — Initial report to security@...nel.org and
linux-distros@...openwall.org

22.11.17 — CVE-2017–1000405 was assigned

27.11.17 — Patch was committed to mainline kernel

29.11.17 — Public announcement


===== Credit =====

Eylon Ben Yaakov and Daniel Shapiro from Bindecy

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.