Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CAE-_4r3Lc-nZGBw+78jRxtSCXRTsXmeA107mpes81kTp4m8nhw@mail.gmail.com>
Date: Thu, 30 Nov 2017 11:35:16 +0200
From: Ariel Zelivansky <ariel.zelivans@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2017-1000405: Linux kernel - "Dirty COW"
 variant on transparent huge pages

Great discovery and writeup. I looked into the latest kernel release
(v4.15-rc1) from 3 days ago and it doesn't seem to include the
committed patch. Am I missing anything?

On Thu, Nov 30, 2017 at 2:32 AM, Bindecy <contact@...decy.com> wrote:
> Hello,
>
> This is a brief overview of the vulnerability, more details are available
> in the post referenced in the GitHub link.
>
>
> ==== Summary ====
>
> In the "Dirty COW" vulnerability patch (CVE-2016-5195),
> can_follow_write_pmd() was changed to take into account the new FOLL_COW
> flag (8310d48b125d "mm/huge_memory.c: respect FOLL_FORCE/FOLL_COW for thp").
>
> We noticed a problematic use of pmd_mkdirty() in the touch_pmd() function.
>
> touch_pmd() can be reached by get_user_pages(). In such case, the pmd will
> become dirty. This scenario breaks the new can_follow_write_pmd()'s logic -
> pmd can become dirty without going through a COW cycle - which makes
> writing on read-only transparent huge pages possible.
>
> This bug is not as severe as the original "Dirty cow" because an ext4 file
> (or any other regular file) cannot be mapped using THP. Nevertheless, it
> does allow us to overwrite read-only huge pages. For example, the zero huge
> page and sealed shmem files can be overwritten (since their mapping can be
> populated using THP). Note that after the first write page-fault to the
> zero page, it will be replaced with a new fresh (and zeroed) thp.
>
> Using this primitive, we successfully crashed several processes. A likely
> consequence of overwriting the huge zero page is having improper initial
> values inside large BSS sections. Common vulnerable pattern would be using
> the zero value as an indicator that a global variable hasn't been
> initialized yet.
>
> Potentially, privileged processes using the mentioned pattern are
> exploitable.
>
>
> ===== POC =====
>
> The POC overwrites the zero-page of the system.
>
> POC source on GitHub: https://github.com/bindecy/HugeDirtyCowPOC
>
>
> ===== Affected Versions =====
>
> The POC was tested on Ubuntu 17.04 with kernel 4.10 and Fedora 27 with
> kernel 4.13. Every kernel version with THP support and the Dirty COW patch
> should be vulnerable (2.6.38 - 4.14).
>
> RHEL claimed by the vendor as not affected.
>
> Fixed on Nov 27, 2017:
> https://github.com/torvalds/linux/commit/a8f97366452ed491d13cf1e44241bc0b5740b1f0
>
>
> ===== Timeline =====
>
> 22.11.17 — Initial report to security@...nel.org and
> linux-distros@...openwall.org
>
> 22.11.17 — CVE-2017–1000405 was assigned
>
> 27.11.17 — Patch was committed to mainline kernel
>
> 29.11.17 — Public announcement
>
>
> ===== Credit =====
>
> Eylon Ben Yaakov and Daniel Shapiro from Bindecy

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.