Dirty COW redux: Linux devs patch botched patch for 2016 mess

This time it's a 'Huge Dirty COW' and Linus Torvalds has cleaned up after it

Linus Torvalds last week rushed a patch into the Linux kernel, after researchers discovered the patch for 2016's Dirty COW bug had a bug of its own.

Dirty COW is a privilege escalation vulnerability in Linux's “copy-on-write” mechanism, first documented in October 2016 and affecting both Linux and Android systems.

As The Register wrote at the time, the problem means "programs can set up a race condition to tamper with what should be a read-only root-owned executable mapped into memory. The changes are then committed to storage, allowing a non-privileged user to alter root-owned files and setuid executables – and at this point, it's game over.”

It was patched promptly, but last week, this post at the OSS-Sec mailing list explained the slip-up in the patch. Discovered by researchers from Bindecy, “Huge Dirty Cow” is discussed in detail here.

“In the 'Dirty COW' vulnerability patch (CVE-2016-5195), can_follow_write_pmd() was changed to take into account the new FOLL_COW flag (8310d48b125d 'mm/huge_memory.c: respect FOLL_FORCE/FOLL_COW for thp').”

Bindecy's Eylon Ben Yaakov and Daniel Shapiro found a slip up in the use of pmd_mkdirty() in the touch_pmd() function, the post said.

What's that mean? The get_user_pages can reach touch_pmd(), “which makes writing on read-only transparent huge pages possible”, and from there Yaakov and Shapiro found ways to crash a variety of processes.

They've published their proof-of-concept here.

Android doesn't suffer from “HugeDirtyCow”. Red Hat Enterprise Linux is also safe. Many other *nixes do have the bug: “Every kernel version with THP support and the Dirty COW patch should be vulnerable (2.6.38 – 4.14)”, Yaakov and Shapiro wrote.

The kernel got its patch on November 27, before the bug was announced to the public. ®


Biting the hand that feeds IT © 1998–2017