Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 639186 (CVE-2017-1000405)

Summary: kernel: "Dirty COW" variant on transparent huge pages (CVE-2017-1000405)
Product: Gentoo Security Reporter: Thomas Deutschmann <whissi>
Component: KernelAssignee: Gentoo Kernel Security <security-kernel>
Status: IN_PROGRESS ---    
Severity: normal CC: alexander, gentoo, herrtimson, i, kernel, peter.volkov
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.openwall.com/lists/oss-security/2017/11/30/1
Whiteboard:
Package list:
Runtime testing required: ---

Description Thomas Deutschmann gentoo-dev Security 2017-11-29 17:53:24 UTC
Incoming details.
Comment 1 Thomas Deutschmann gentoo-dev Security 2017-11-30 00:57:06 UTC
==== Summary ====

In the "Dirty COW" vulnerability patch (CVE-2016-5195),
can_follow_write_pmd() was changed to take into account the new FOLL_COW
flag (8310d48b125d "mm/huge_memory.c: respect FOLL_FORCE/FOLL_COW for thp").

We noticed a problematic use of pmd_mkdirty() in the touch_pmd() function.

touch_pmd() can be reached by get_user_pages(). In such case, the pmd will
become dirty. This scenario breaks the new can_follow_write_pmd()'s logic -
pmd can become dirty without going through a COW cycle - which makes
writing on read-only transparent huge pages possible.

This bug is not as severe as the original "Dirty cow" because an ext4 file
(or any other regular file) cannot be mapped using THP. Nevertheless, it
does allow us to overwrite read-only huge pages. For example, the zero huge
page and sealed shmem files can be overwritten (since their mapping can be
populated using THP). Note that after the first write page-fault to the
zero page, it will be replaced with a new fresh (and zeroed) thp.

Using this primitive, we successfully crashed several processes. A likely
consequence of overwriting the huge zero page is having improper initial
values inside large BSS sections. Common vulnerable pattern would be using
the zero value as an indicator that a global variable hasn't been
initialized yet.

Potentially, privileged processes using the mentioned pattern are
exploitable.


===== POC =====

The POC overwrites the zero-page of the system.

POC source on GitHub: https://github.com/bindecy/HugeDirtyCowPOC


===== Affected Versions =====

The POC was tested on Ubuntu 17.04 with kernel 4.10 and Fedora 27 with
kernel 4.13. Every kernel version with THP support and the Dirty COW patch
should be vulnerable (2.6.38 - 4.14).

RHEL claimed by the vendor as not affected.

Fixed on Nov 27, 2017:
https://github.com/torvalds/linux/commit/a8f97366452ed491d13cf1e44241bc0b5740b1f0


===== Timeline =====

22.11.17 — Initial report to security@kernel.org and
linux-distros@vs.openwall.org

22.11.17 — CVE-2017–1000405 was assigned

27.11.17 — Patch was committed to mainline kernel

29.11.17 — Public announcement


===== Credit =====

Eylon Ben Yaakov and Daniel Shapiro from Bindecy
Comment 2 Alice Ferrazzi Gentoo Infrastructure gentoo-dev 2017-11-30 02:21:05 UTC
thanks
Comment 3 Alice Ferrazzi Gentoo Infrastructure gentoo-dev 2017-12-03 23:32:57 UTC
patch still need upstream review. waiting for upstream.
Comment 4 pva 2017-12-09 15:12:37 UTC
Alice, patch is already commited to 4.14.4[1]. Is it time to backport/fix our stable?

https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.4
Comment 5 Mike Limansky 2017-12-10 21:38:11 UTC
BTW, could anyone please explain why we are at 4.12.x while EOL branch is 4.13.x?
Comment 6 Thomas Deutschmann gentoo-dev Security 2017-12-10 21:40:36 UTC
Stable for gentoo-sources doesn't mean the same like stable for packages.
If you care about security you should keyword the LTS kernel you are interested in and don't wait for stabilization.
Comment 7 Mike Limansky 2017-12-13 15:40:52 UTC
(In reply to Thomas Deutschmann from comment #6)
> If you care about security you should keyword the LTS kernel you are
> interested in and don't wait for stabilization.

Sorry, but do you think that by default users are don't care about security? I just trying to understand the process.  I'm a Gentoo user since 2004, and still cannot figure out how does it works.  I understand, that kernel team have to choose between security, stability and maintainability.  And that kernel is most critical parts of the system.  But still, kernel stabilization process in Gentoo is not transparent at all.
Comment 8 Thomas Deutschmann gentoo-dev Security 2017-12-13 19:52:29 UTC
> Sorry, but do you think that by default users are don't care about security?
No, but I have the feeling that most Gentoo users have wrong expectations regarding stable kernels in Gentoo.

> But still, kernel stabilization process in Gentoo is not transparent at all.
That's what I tried to tell you: gentoo-sources don't get the same treatment like vulnerable packages. This isn't something new. This was always the case:

Especially since upstream is releasing new kernels every ~10 days in average with the note "All users of the X kernel series must upgrade".

We would really like to stabilize new kernels in time but we don't have the man power to do that. And please notice that there's a major difference between stabilizing a normal package vs. stabilizing a new kernel:

- In most cases a minor package bump is just fixing bugs.

- Due to the UNIX philosophy "Write programs that do one thing and do it well" which is still honored by most programs you can better check for regressions.

- As long as you don't lose access to your system you are able to downgrade most of the time in case you need to due to a regression/new problem. 

But the kernel is different:

- There are so many drivers/components in the kernel which you cannot test anymore. Remember the broken crypto in user space (bug 575024) or broken megaraid driver (bug 599464)? Doesn't affect everyone but when you are affected you will have problems.

- If a kernel crashes or doesn't boot there's no easy fix. In most cases, the user has to manually fix the problem (=needs to get physical access to the broken Gentoo box).

So face it: You cannot get a known working stable kernel on most platforms/setups together with latest security fixes. However, if you would give people the choice between kernel with latest fixes vs known working kernel, the majority would pick the well tested kernel (this is ridiculous in so many ways because when we stabilize a new kernel we will pick the latest one but...).

tl;dr
One could say we only have stable gentoo-sources at all to _not_ break the depgraph, to have a minimum version we need to support and to allow stable users to set up a new Gentoo system without the need to keyword something.
Comment 9 Alice Ferrazzi Gentoo Infrastructure gentoo-dev 2017-12-19 10:01:21 UTC
Mike Limansky we are currently moving away from 4.12
we are just waiting that 4.14 stabilize
https://archives.gentoo.org/gentoo-kernel/message/b32bf0b9c65614c8979923ebac77c34b
Comment 10 Mike Limansky 2017-12-20 07:20:49 UTC
Thomas thank you for clarification.  Sorry if I was rude.  I just wanna say that kernel team might be more open to community.  If we had something like stabilization candidates, people would be able to test it earlier.

Alice thank you for good news!