Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 597624 (CVE-2016-5195) - kernel: mm: privilege escalation via MAP_PRIVATE COW breakage
Summary: kernel: mm: privilege escalation via MAP_PRIVATE COW breakage
Status: IN_PROGRESS
Alias: CVE-2016-5195
Product: Gentoo Security
Classification: Unclassified
Component: Kernel (show other bugs)
Hardware: All Linux
: Normal normal with 4 votes (vote)
Assignee: Gentoo Kernel Security
URL: https://dirtycow.ninja/
Whiteboard: A1 [stable blocked cve]
Keywords:
: 598076 (view as bug list)
Depends on: 597738 598378
Blocks:
  Show dependency tree
 
Reported: 2016-10-20 14:55 UTC by Thomas Deutschmann
Modified: 2017-05-22 02:24 UTC (History)
22 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
ebuild with patch agains CVE-2016-5195 for gentoo-sources-4.1.15-r1 (CVE-2016-5195_gentoo-sources-4.1.15-r2.tar.bz2,3.53 KB, application/x-bzip)
2016-10-25 18:42 UTC, bugs-gentoo01
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann gentoo-dev Security 2016-10-20 14:55:24 UTC
A race condition was found in the way Linux kernel's memory subsystem
handled breakage of the read only private mappings COW situation on
write access.

An unprivileged local user could use this flaw to gain
write access to otherwise read only memory mappings and thus increase
their privileges on the system.


Upstream patch:

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=19be0eaffa3ac7d8eb6784ad9bdbc7d67ed8e619
Comment 1 Alice Ferrazzi Gentoo Infrastructure gentoo-dev 2016-10-20 22:52:26 UTC
4.7.9 is patching this vulnerability and is released

https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.7.9
Comment 2 Alice Ferrazzi Gentoo Infrastructure gentoo-dev 2016-10-20 23:11:17 UTC
affected:
<sys-kernel/gentoo-sources-4.8.3
<sys-kernel/gentoo-sources-4.7.9
<sys-kernel/gentoo-sources-4.4.26
Comment 3 Vitaly L. Fadeev 2016-10-21 08:06:52 UTC
Please, release 4.8.3
Comment 4 Kristian Fiskerstrand gentoo-dev Security 2016-10-21 08:13:20 UTC
(In reply to Vitaly L. Fadeev from comment #3)
> Please, release 4.8.3

4.8 is not a long terms stable branch, hence not a candiate for gentoo stabilization, hence irrelevant for this security tracking bug.
Comment 5 Mike Pagano gentoo-dev 2016-10-21 23:56:01 UTC
Any gentoo-sources version is a candidate for stabilization unless it is EOL'ed.
Comment 6 Yuri Arabadji 2016-10-22 10:38:48 UTC
Where do we send money to get 4.1.x patched? Thanks.
Comment 7 Oliver Schwabedissen 2016-10-22 14:27:27 UTC
(In reply to Yuri Arabadji from comment #6)
> Where do we send money to get 4.1.x patched? Thanks.

If you don't want to wait why don't you try to fix it yourself?

I patched my kernel (4.4.21) as described in the Gentoo forum (https://forums.gentoo.org/viewtopic-p-7980252.html#7980252) and recompiled the kernel. The PoC didn't work with the patched kernel. Not an official fix but at least a fast and working solution.
Comment 8 Fredrik Eriksson 2016-10-24 08:50:41 UTC
Shouldn't there be a GLSA for this?
Comment 9 Kristian Fiskerstrand gentoo-dev Security 2016-10-24 08:59:12 UTC
(In reply to Fredrik Eriksson from comment #8)
> Shouldn't there be a GLSA for this?

The official policy is no GLSA for kernel vulnerabilities, there are several reasons for this, one of which is that glsa-check does not have capabilities to check such GLSA vs running kernels. Another is the number of different kernel branches, most of which are in testing, so the workload of tracking each individual is too high for the security project.
Comment 10 bugs-gentoo01 2016-10-24 20:34:36 UTC
Seem that gentoo-sources-4.1.15-gentoo-r1 is also vulnerable:

root@localhost#ll foo
-rw-r--r-- 1 root root 15 Oct 24 22:28 foo
user@localhost#./dirtyc0w foo m000000000000
mmap 7f7530ee7000

madvise 0

procselfmem 1300000000

user@localhost#cat foo 
m000000000000t


#emerge --info
Portage 2.1.12.2 (default/linux/amd64/13.0, gcc-4.9.3, glibc-2.21-r2, 4.1.15-gentoo-r1 x86_64)
=================================================================
System uname: Linux-4.1.15-gentoo-r1-x86_64-Intel-R-_Core-TM-2_Quad_CPU_Q9300_@_2.50GHz-with-gentoo-2.2
KiB Mem:     8158944 total,    893372 free
KiB Swap:   19531768 total,  16722224 free
Timestamp of tree: Wed, 12 Jun 2013 06:45:01 +0000
ld GNU ld (GNU Binutils) 2.24
distcc 3.1 x86_64-pc-linux-gnu [enabled]
ccache version 3.1.9 [enabled]
app-shells/bash:          4.2_p50::x-patches
dev-lang/python:          2.7.3-r3, 3.2.3-r2
dev-util/ccache:          3.1.9
dev-util/cmake:           2.8.10.2-r2
dev-util/pkgconfig:       0.28
sys-apps/baselayout:      2.2
sys-apps/openrc:          0.11.8
sys-apps/sandbox:         2.5
sys-devel/autoconf:       2.69
sys-devel/automake:       1.11.6, 1.12.6
sys-devel/binutils:       2.24-r3::x-patches
sys-devel/gcc:            4.9.3::x-kernel
sys-devel/gcc-config:     1.7.3
sys-devel/libtool:        2.4-r1
sys-devel/make:           3.82-r4
sys-kernel/linux-headers: 3.7 (virtual/os-headers)
sys-libs/glibc:           2.21-r2::x-patches
Repositories: gentoo freeswitch my x-patches x-libguestfs x-ansible x-libvirt x-qemu x-pg_repack x-php x-icinga x-minidlna x-kernel x-cryptsetup x-unbound x-bcache
ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="*"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=core2 -msse4.1 -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.6/ext-active/ /etc/php/cgi-php5.6/ext-active/ /etc/php/cli-php5.6/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"
CXXFLAGS="-march=core2 -msse4.1 -O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FCFLAGS="-O2 -pipe"
GENTOO_MIRRORS="http://mirror.netcologne.de/gentoo/ http://mirror.leaseweb.com/gentoo/ http://ftp.halifax.rwth-aachen.de/gentoo/ http://ftp-stud.hs-esslingen.de/pub/Mirrors/gentoo/ ftp://mirror.netcologne.de/gentoo/"
LANG="en_US.UTF-8"
LC_ALL=""
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j4"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/var/lib/layman/freeswitch /usr/local/overlays/my /usr/local/overlays/patches /usr/local/overlays/libguestfs /usr/local/overlays/ansible /usr/local/overlays/libvirt /usr/local/overlays/qemu /usr/local/overlays/pg_repack /usr/local/overlays/php /usr/local/overlays/icinga /usr/local/overlays/minidlna /usr/local/overlays/kernel /usr/local/overlays/cryptsetup /usr/local/overlays/unbound /usr/local/overlays/bcache"
SYNC="rsync://rsync.de.gentoo.org/gentoo-portage"
USE="acl aio amd64 berkdb bzip2 cli cracklib crypt cxx dri flac fortran gcrypt gdbm gpm iconv ipv6 lighttpd logrotate lvm mmx modules mp3 mudflap multilib ncurses nfs nls nptl openmp pam pcre perl postgres readline session sse sse2 ssl ssse3 tcpd threads unicode vhosts x264 zlib zsh-completion" ABI_X86="64" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIBREOFFICE_EXTENSIONS="presenter-console presenter-minimizer" LIRC_DEVICES="udp" OFFICE_IMPLEMENTATION="libreoffice" PHP_TARGETS="php5-6" PYTHON_SINGLE_TARGET="python2_7" PYTHON_TARGETS="python2_7 python3_2" QEMU_USER_TARGETS="x86_64" RUBY_TARGETS="ruby19 ruby18" SANE_BACKENDS="lexmark" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga nouveau nv r128 radeon savage sis tdfx trident vesa via vmware dummy v4l" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, USE_PYTHON
Comment 11 Kerin Millar 2016-10-24 20:58:52 UTC
The 4.1 series is maintained by Sasha Levin. The necessary patch was included in the upstream 4.1.35 release.
Comment 12 bugs-gentoo01 2016-10-24 21:46:18 UTC
(In reply to Kerin Millar from comment #11)
> The 4.1 series is maintained by Sasha Levin. The necessary patch was
> included in the upstream 4.1.35 release.

Why don't we stabilize the 4.1.35 in gentoo?
Comment 13 Mike Limansky 2016-10-25 09:12:12 UTC
What about other longterm kernel versions? As I see from kernel.org, fixed versions are available.
Comment 14 Tomáš Mózes 2016-10-25 10:35:42 UTC
Yes, would be great to introduce gentoo-sources-4.1.35.
Comment 15 bugs-gentoo01 2016-10-25 18:42:17 UTC
Created attachment 451440 [details]
ebuild with patch agains CVE-2016-5195 for gentoo-sources-4.1.15-r1

For everyone running the gentoo-sources-4.1.15-r2 can use the following overlay to patch the kernel agains CVE-2016-5195 until the portage is updated.
Comment 16 Marcin Mirosław 2016-10-25 19:48:34 UTC
(In reply to bugs-gentoo01 from comment #15)
> Created attachment 451440 [details]
> ebuild with patch agains CVE-2016-5195 for gentoo-sources-4.1.15-r1
> 
> For everyone running the gentoo-sources-4.1.15-r2 can use the following
> overlay to patch the kernel agains CVE-2016-5195 until the portage is
> updated.

But what for? It's easier to use /etc/portage/patches/... and (re)emerge kernel from any line you want.
Comment 17 Erik Dobak 2016-10-25 21:27:06 UTC
why don't we stabilize at all?
Comment 18 Jerry McDonald 2016-10-26 18:54:21 UTC
(In reply to Alice Ferrazzi from comment #2)
> affected:
> <sys-kernel/gentoo-sources-4.8.3
> <sys-kernel/gentoo-sources-4.7.9
> <sys-kernel/gentoo-sources-4.4.26

Those should be "<=" instead of "<" or perhaps:

affected:
<sys-kernel/gentoo-sources-4.8.4
<sys-kernel/gentoo-sources-4.7.10
<sys-kernel/gentoo-sources-4.4.27

and for 4.1.X:
<sys-kernel/gentoo-sources-4.1.35

which is not yet available.
Comment 19 Jerry McDonald 2016-10-26 19:01:31 UTC
(In reply to Jerry McDonald from comment #18)
> (In reply to Alice Ferrazzi from comment #2)
> > affected:
> > <sys-kernel/gentoo-sources-4.8.3
> > <sys-kernel/gentoo-sources-4.7.9
> > <sys-kernel/gentoo-sources-4.4.26
> 
> Those should be "<=" instead of "<" or perhaps:
> 
> affected:
> <sys-kernel/gentoo-sources-4.8.4
> <sys-kernel/gentoo-sources-4.7.10
> <sys-kernel/gentoo-sources-4.4.27
> 

Nevermind - not enough changelog at packages.gentoo.org.  Sorry for my confusion.
Comment 20 1clue 2016-10-26 23:54:26 UTC
hardened-sources 4.7.6 is affected.
Comment 21 Coacher 2016-10-27 12:45:47 UTC
*** Bug 598076 has been marked as a duplicate of this bug. ***
Comment 22 Robert R. Richter 2016-10-27 15:56:09 UTC
Please release gentoo-sources-4.1.35
Comment 23 Mike Pagano gentoo-dev 2016-10-28 18:16:25 UTC
(In reply to Robert R. Richter from comment #22)
> Please release gentoo-sources-4.1.35


commit 131f8aef61234ec1fac63a07be2e56d7185d835b
Author: Mike Pagano <mpagano@gentoo.org>
Date:   Fri Oct 28 06:46:08 2016 -0400

    sys-kernel/gentoo-sources: Linux patch 4.1.35
    
    Package-Manager: portage-2.3.0
Comment 24 Alice Ferrazzi Gentoo Infrastructure gentoo-dev 2016-11-01 11:30:36 UTC
also <sys-kernel/gentoo-sources.3.18.44 is affected
Comment 25 Vadim 2016-11-10 14:39:17 UTC
Hello!

Could you please tell me kernels 3.10.7-gentoo-r1 and 3.2.6-gentoo are affected?
If yes, when they will be fixed?
Thanks!!!
Comment 26 bugs-gentoo01 2016-11-10 14:46:11 UTC
(In reply to Vadim from comment #25)
> Hello!
> 
> Could you please tell me kernels 3.10.7-gentoo-r1 and 3.2.6-gentoo are
> affected?
> If yes, when they will be fixed?
> Thanks!!!

You can use this ansible playbook to check: https://github.com/oleg-fiksel/ansible_CVE-2016-5195_check
Or run the exploit manually: https://github.com/dirtycow/dirtycow.github.io/blob/master/dirtyc0w.c

--Oleg
Comment 27 Robert R. Richter 2016-11-10 15:04:18 UTC
(In reply to Vadim from comment #25)
> Hello!
> 
> Could you please tell me kernels 3.10.7-gentoo-r1 and 3.2.6-gentoo are
> affected?
> If yes, when they will be fixed?
> Thanks!!!

I can tell you that gentoo-sources-3.10.104 is definitely fixed.

Yes, it is marked unstable, but we have 3.10.104 (~x86) running on a production server for more than 19 days and NO PROBLEMS at all :-) !
Comment 28 Vadim 2016-11-10 16:18:22 UTC
(In reply to bugs-gentoo01 from comment #26)
> (In reply to Vadim from comment #25)
> > Hello!
> > 
> > Could you please tell me kernels 3.10.7-gentoo-r1 and 3.2.6-gentoo are
> > affected?
> > If yes, when they will be fixed?
> > Thanks!!!
> 
> You can use this ansible playbook to check:
> https://github.com/oleg-fiksel/ansible_CVE-2016-5195_check
> Or run the exploit manually:
> https://github.com/dirtycow/dirtycow.github.io/blob/master/dirtyc0w.c
> 
> --Oleg

Thanks for information!!!

I've checked and can tell that this kernels are affected too.
Comment 29 Vadim 2016-11-10 16:23:52 UTC
(In reply to Robert R. Richter from comment #27)
> (In reply to Vadim from comment #25)
> > Hello!
> > 
> > Could you please tell me kernels 3.10.7-gentoo-r1 and 3.2.6-gentoo are
> > affected?
> > If yes, when they will be fixed?
> > Thanks!!!
> 
> I can tell you that gentoo-sources-3.10.104 is definitely fixed.
> 
> Yes, it is marked unstable, but we have 3.10.104 (~x86) running on a
> production server for more than 19 days and NO PROBLEMS at all :-) !

Thanks!

I have a question when fixed kernel 3.10.104 will be stable?
Comment 30 Mike Pagano gentoo-dev 2016-11-11 19:46:22 UTC
(In reply to Vadim from comment #29)
> (In reply to Robert R. Richter from comment #27)
> > (In reply to Vadim from comment #25)
> > > Hello!
> > > 
> > > Could you please tell me kernels 3.10.7-gentoo-r1 and 3.2.6-gentoo are
> > > affected?
> > > If yes, when they will be fixed?
> > > Thanks!!!
> > 
> > I can tell you that gentoo-sources-3.10.104 is definitely fixed.
> > 
> > Yes, it is marked unstable, but we have 3.10.104 (~x86) running on a
> > production server for more than 19 days and NO PROBLEMS at all :-) !
> 
> Thanks!
> 
> I have a question when fixed kernel 3.10.104 will be stable?

I just entered stable req bugs for the rest of the affected gentoo-sources kernels that we carry:

sys-kernel/gentoo-sources-3.12.66
sys-kernel/gentoo-sources-3.10.104 
sys-kernel/gentoo-sources-3.2.83 
sys-kernel/gentoo-sources-3.4.113

bug #599520
bug #599522
bug #599524
bug #599526