Dirty COW redux: Linux devs patch botched patch for 2016 mess
This time it's a 'Huge Dirty COW' and Linus Torvalds has cleaned up after it
Linus Torvalds last week rushed a patch into the Linux kernel, after researchers discovered the patch for 2016's Dirty COW bug had a bug of its own.
Dirty COW is a privilege escalation vulnerability in Linux's “copy-on-write” mechanism, first documented in October 2016 and affecting both Linux and Android systems.
As The Register wrote at the time, the problem means "programs can set up a race condition to tamper with what should be a read-only root-owned executable mapped into memory. The changes are then committed to storage, allowing a non-privileged user to alter root-owned files and setuid executables – and at this point, it's game over.”
“In the 'Dirty COW' vulnerability patch (CVE-2016-5195),
can_follow_write_pmd() was changed to take into account the new
FOLL_COW flag (8310d48b125d '
mm/huge_memory.c: respect FOLL_FORCE/FOLL_COW for thp').”
Bindecy's Eylon Ben Yaakov and Daniel Shapiro found a slip up in the use of
pmd_mkdirty() in the
touch_pmd() function, the post said.
What's that mean? The
get_user_pages can reach
touch_pmd(), “which makes writing on read-only transparent huge pages possible”, and from there Yaakov and Shapiro found ways to crash a variety of processes.
They've published their proof-of-concept here.
Android doesn't suffer from “HugeDirtyCow”. Red Hat Enterprise Linux is also safe. Many other *nixes do have the bug: “Every kernel version with THP support and the Dirty COW patch should be vulnerable (2.6.38 – 4.14)”, Yaakov and Shapiro wrote.
The kernel got its patch on November 27, before the bug was announced to the public. ®