CVE-2017-1000405
published 2017-11-30CVE-2017-1000405: The Linux Kernel versions 2.6.38 through 4.14 have a problematic use of pmd_mkdirty() in the touch_pmd() function inside the THP implementation. touch_pmd()…
PriorityP338high7CVSS 3.1
AVLACHPRLUINSUCHIHAH
EXPLOIT
EPSS
2.84%
84.9th percentile
The Linux Kernel versions 2.6.38 through 4.14 have a problematic use of pmd_mkdirty() in the touch_pmd() function inside the THP implementation. touch_pmd() can be reached by get_user_pages(). In such case, the pmd will become dirty. This scenario breaks the new can_follow_write_pmd()'s logic - pmd can become dirty without going through a COW cycle. This bug is not as severe as the original "Dirty cow" because an ext4 file (or any other regular file) cannot be mapped using THP. Nevertheless, it does allow us to overwrite read-only huge pages. For example, the zero huge page and sealed shmem files can be overwritten (since their mapping can be populated using THP). Note that after the first write page-fault to the zero page, it will be replaced with a new fresh (and zeroed) thp.
Affected
17 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | linux | < linux 4.14.2-1 (bookworm) | linux 4.14.2-1 (bookworm) |
| linux | linux_kernel | >= 0 < 4.14.2-1 | 4.14.2-1 |
| linux | linux_kernel | >= 0 < 4.14.2-1 | 4.14.2-1 |
| linux | linux_kernel | >= 0 < 4.14.2-1 | 4.14.2-1 |
| linux | linux_kernel | >= 0 < 4.14.2-1 | 4.14.2-1 |
| linux | linux_kernel | >= 0 < 3.13.0-137.186 | 3.13.0-137.186 |
| linux | linux_kernel | >= 0 < 4.4.0-104.127 | 4.4.0-104.127 |
| linux | linux_kernel | >= 0 < 4.4.0-103.126 | 4.4.0-103.126 |
| linux | linux_kernel | >= 3.10.106 < 3.11 | 3.11 |
| linux | linux_kernel | >= 3.12.73 < 3.13 | 3.13 |
| linux | linux_kernel | >= 3.16.42 < 3.16.52 | 3.16.52 |
| linux | linux_kernel | >= 3.18.55 < 3.18.86 | 3.18.86 |
| linux | linux_kernel | >= 3.2.87 < 3.3 | 3.3 |
| linux | linux_kernel | >= 4.1.41 < 4.1.48 | 4.1.48 |
| linux | linux_kernel | >= 4.10 < 4.14.4 | 4.14.4 |
| linux | linux_kernel | >= 4.4.70 < 4.4.104 | 4.4.104 |
| linux | linux_kernel | >= 4.9.7 < 4.9.67 | 4.9.67 |
CVSS provenance
nvdv3.17.0HIGHCVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.9MEDIUMAV:L/AC:M/Au:N/C:C/I:C/A:C
osv7.0HIGH
vendor_debian7.0HIGH
vendor_redhat7.0HIGH
vendor_ubuntu7.0HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Linux kernel regression
vendor_ubuntu·2017-12-15·CVSS 7.0
[HIGH] Linux kernel regression
Title: Linux kernel regression
Summary: USN-3509-1 introduced a regression in the Linux kernel for Ubuntu 16.04 LTS.
USN-3509-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04
LTS. Unfortunately, it also introduced a regression that prevented the
Ceph network filesystem from being used. This update fixes the problem.
We apologize for the inconvenience.
Original advisory details:
Mohamed Ghannam discovered that a use-after-free vulnerability existed in
the Netlink subsystem (XFRM) in the Linux kernel. A local attacker could
use this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2017-16939)
It was discovered that the Linux kernel did not properly handle copy-on-
write of transparent huge pages. A local attacker could use this to cause a
Ubuntu
Linux kernel (Xenial HWE) regression
vendor_ubuntu·2017-12-15·CVSS 7.0
[HIGH] Linux kernel (Xenial HWE) regression
Title: Linux kernel (Xenial HWE) regression
Summary: USN-3509-2 introduced a regression in the Linux HWE kernel for Ubuntu 14.04 LTS.
USN-3509-2 fixed vulnerabilities in the Linux Hardware Enablement
kernel for Ubuntu 14.04 LTS. Unfortunately, it also introduced a
regression that prevented the Ceph network filesystem from being
used. This update fixes the problem.
We apologize for the inconvenience.
Original advisory details:
Mohamed Ghannam discovered that a use-after-free vulnerability existed in
the Netlink subsystem (XFRM) in the Linux kernel. A local attacker could
use this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2017-16939)
It was discovered that the Linux kernel did not properly handle copy-on-
write of transparent huge pages. A loc
Ubuntu
Linux kernel (GCP) vulnerabilities
vendor_ubuntu·2017-12-08·CVSS 7.0
CVE-2017-1000405 [HIGH] Linux kernel (GCP) vulnerabilities
Title: Linux kernel (GCP) vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
Mohamed Ghannam discovered that a use-after-free vulnerability existed in
the Netlink subsystem (XFRM) in the Linux kernel. A local attacker could
use this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2017-16939)
It was discovered that the Linux kernel did not properly handle copy-on-
write of transparent huge pages. A local attacker could use this to cause a
denial of service (application crashes) or possibly gain administrative
privileges. (CVE-2017-1000405)
Fan Wu, Haoran Qiu, and Shixiong Zhao discovered that the associative array
implementation in the Linux kernel sometimes did not properly handle adding
a new entry. A local attacker co
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2017-12-08·CVSS 7.0
CVE-2017-1000405 [HIGH] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
Mohamed Ghannam discovered that a use-after-free vulnerability existed in
the Netlink subsystem (XFRM) in the Linux kernel. A local attacker could
use this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2017-16939)
It was discovered that the Linux kernel did not properly handle copy-on-
write of transparent huge pages. A local attacker could use this to cause a
denial of service (application crashes) or possibly gain administrative
privileges. (CVE-2017-1000405)
Instructions: After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been giv
Ubuntu
Linux kernel (Azure) vulnerabilities
vendor_ubuntu·2017-12-08·CVSS 7.0
CVE-2017-1000405 [HIGH] Linux kernel (Azure) vulnerabilities
Title: Linux kernel (Azure) vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
Mohamed Ghannam discovered that a use-after-free vulnerability existed in
the Netlink subsystem (XFRM) in the Linux kernel. A local attacker could
use this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2017-16939)
It was discovered that the Linux kernel did not properly handle copy-on-
write of transparent huge pages. A local attacker could use this to cause a
denial of service (application crashes) or possibly gain administrative
privileges. (CVE-2017-1000405)
Instructions: After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
Ubuntu
Linux kernel (Trusty HWE) vulnerabilities
vendor_ubuntu·2017-12-08·CVSS 7.0
CVE-2017-1000405 [HIGH] Linux kernel (Trusty HWE) vulnerabilities
Title: Linux kernel (Trusty HWE) vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
USN-3510-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04
LTS. This update provides the corresponding updates for the Linux
Hardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu
12.04 ESM.
Mohamed Ghannam discovered that a use-after-free vulnerability existed in
the Netlink subsystem (XFRM) in the Linux kernel. A local attacker could
use this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2017-16939)
It was discovered that the Linux kernel did not properly handle copy-on-
write of transparent huge pages. A local attacker could use this to cause a
denial of service (application crashes) or possibly gain administra
Ubuntu
Linux kernel (HWE) vulnerabilities
vendor_ubuntu·2017-12-07·CVSS 7.0
CVE-2017-1000405 [HIGH] Linux kernel (HWE) vulnerabilities
Title: Linux kernel (HWE) vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
USN-3508-1 fixed vulnerabilities in the Linux kernel for Ubuntu 17.04.
This update provides the corresponding updates for the Linux
Hardware Enablement (HWE) kernel from Ubuntu 17.04 for Ubuntu
16.04 LTS.
Mohamed Ghannam discovered that a use-after-free vulnerability existed in
the Netlink subsystem (XFRM) in the Linux kernel. A local attacker could
use this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2017-16939)
It was discovered that the Linux kernel did not properly handle copy-on-
write of transparent huge pages. A local attacker could use this to cause a
denial of service (application crashes) or possibly gain administrative
privileges
Ubuntu
Linux kernel (Xenial HWE) vulnerabilities
vendor_ubuntu·2017-12-07·CVSS 7.0
CVE-2017-1000405 [HIGH] Linux kernel (Xenial HWE) vulnerabilities
Title: Linux kernel (Xenial HWE) vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
USN-3509-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04
LTS. This update provides the corresponding updates for the Linux
Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu
14.04 LTS.
Mohamed Ghannam discovered that a use-after-free vulnerability existed in
the Netlink subsystem (XFRM) in the Linux kernel. A local attacker could
use this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2017-16939)
It was discovered that the Linux kernel did not properly handle copy-on-
write of transparent huge pages. A local attacker could use this to cause a
denial of service (application crashes) or possibly gain administra
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2017-12-07·CVSS 7.0
CVE-2017-1000405 [HIGH] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
Mohamed Ghannam discovered that a use-after-free vulnerability existed in
the Netlink subsystem (XFRM) in the Linux kernel. A local attacker could
use this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2017-16939)
It was discovered that the Linux kernel did not properly handle copy-on-
write of transparent huge pages. A local attacker could use this to cause a
denial of service (application crashes) or possibly gain administrative
privileges. (CVE-2017-1000405)
Fan Wu, Haoran Qiu, and Shixiong Zhao discovered that the associative array
implementation in the Linux kernel sometimes did not properly handle adding
a new entry. A local attacker could us
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2017-12-07·CVSS 7.0
CVE-2017-1000405 [HIGH] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
Mohamed Ghannam discovered that a use-after-free vulnerability existed in
the Netlink subsystem (XFRM) in the Linux kernel. A local attacker could
use this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2017-16939)
It was discovered that the Linux kernel did not properly handle copy-on-
write of transparent huge pages. A local attacker could use this to cause a
denial of service (application crashes) or possibly gain administrative
privileges. (CVE-2017-1000405)
Fan Wu, Haoran Qiu, and Shixiong Zhao discovered that the associative array
implementation in the Linux kernel sometimes did not properly handle adding
a new entry. A local attacker could us
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2017-12-07·CVSS 7.0
CVE-2017-1000405 [HIGH] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Several security issues were fixed in the Linux kernel.
Mohamed Ghannam discovered that a use-after-free vulnerability existed in
the Netlink subsystem (XFRM) in the Linux kernel. A local attacker could
use this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2017-16939)
It was discovered that the Linux kernel did not properly handle copy-on-
write of transparent huge pages. A local attacker could use this to cause a
denial of service (application crashes) or possibly gain administrative
privileges. (CVE-2017-1000405)
Yonggang Guo discovered that a race condition existed in the driver
subsystem in the Linux kernel. A local attacker could use this to possibly
gain administrative privileges. (CVE-2017-12146
Red Hat
kernel: pmd can become dirty without going through a COW cycle
vendor_redhat·2017-11-30·CVSS 7.0
CVE-2017-1000405 [HIGH] CWE-362 kernel: pmd can become dirty without going through a COW cycle
kernel: pmd can become dirty without going through a COW cycle
The Linux Kernel versions 2.6.38 through 4.14 have a problematic use of pmd_mkdirty() in the touch_pmd() function inside the THP implementation. touch_pmd() can be reached by get_user_pages(). In such case, the pmd will become dirty. This scenario breaks the new can_follow_write_pmd()'s logic - pmd can become dirty without going through a COW cycle. This bug is not as severe as the original "Dirty cow" because an ext4 file (or any other regular file) cannot be mapped using THP. Nevertheless, it does allow us to overwrite read-only huge pages. For example, the zero huge page and sealed shmem files can be overwritten (since their mapping can be populated using THP). Note that after the first write page-fault to the zero page, it
Debian
CVE-2017-1000405: linux - The Linux Kernel versions 2.6.38 through 4.14 have a problematic use of pmd_mkdi...
vendor_debian·2017·CVSS 7.0
CVE-2017-1000405 [HIGH] CVE-2017-1000405: linux - The Linux Kernel versions 2.6.38 through 4.14 have a problematic use of pmd_mkdi...
The Linux Kernel versions 2.6.38 through 4.14 have a problematic use of pmd_mkdirty() in the touch_pmd() function inside the THP implementation. touch_pmd() can be reached by get_user_pages(). In such case, the pmd will become dirty. This scenario breaks the new can_follow_write_pmd()'s logic - pmd can become dirty without going through a COW cycle. This bug is not as severe as the original "Dirty cow" because an ext4 file (or any other regular file) cannot be mapped using THP. Nevertheless, it does allow us to overwrite read-only huge pages. For example, the zero huge page and sealed shmem files can be overwritten (since their mapping can be populated using THP). Note that after the first write page-fault to the zero page, it will be replaced with a new fresh (and zeroed) thp.
Scope: loca
GHSA
GHSA-c6vh-7mwq-c4gc: The Linux Kernel versions 2
ghsa_unreviewed·2022-05-14
CVE-2017-1000405 [HIGH] CWE-362 GHSA-c6vh-7mwq-c4gc: The Linux Kernel versions 2
The Linux Kernel versions 2.6.38 through 4.14 have a problematic use of pmd_mkdirty() in the touch_pmd() function inside the THP implementation. touch_pmd() can be reached by get_user_pages(). In such case, the pmd will become dirty. This scenario breaks the new can_follow_write_pmd()'s logic - pmd can become dirty without going through a COW cycle. This bug is not as severe as the original "Dirty cow" because an ext4 file (or any other regular file) cannot be mapped using THP. Nevertheless, it does allow us to overwrite read-only huge pages. For example, the zero huge page and sealed shmem files can be overwritten (since their mapping can be populated using THP). Note that after the first write page-fault to the zero page, it will be replaced with a new fresh (and zeroed) thp.
OSV
linux-lts-xenial, linux-aws regression
osv·2017-12-15·CVSS 7.0
[HIGH] linux-lts-xenial, linux-aws regression
linux-lts-xenial, linux-aws regression
USN-3509-2 fixed vulnerabilities in the Linux Hardware Enablement
kernel for Ubuntu 14.04 LTS. Unfortunately, it also introduced a
regression that prevented the Ceph network filesystem from being
used. This update fixes the problem.
We apologize for the inconvenience.
Original advisory details:
Mohamed Ghannam discovered that a use-after-free vulnerability existed in
the Netlink subsystem (XFRM) in the Linux kernel. A local attacker could
use this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2017-16939)
It was discovered that the Linux kernel did not properly handle copy-on-
write of transparent huge pages. A local attacker could use this to cause a
denial of service (application crashes) or possibly gain a
OSV
linux, linux-aws, linux-kvm, linux-raspi2 regression
osv·2017-12-15·CVSS 7.0
[HIGH] linux, linux-aws, linux-kvm, linux-raspi2 regression
linux, linux-aws, linux-kvm, linux-raspi2 regression
USN-3509-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04
LTS. Unfortunately, it also introduced a regression that prevented the
Ceph network filesystem from being used. This update fixes the problem.
We apologize for the inconvenience.
Original advisory details:
Mohamed Ghannam discovered that a use-after-free vulnerability existed in
the Netlink subsystem (XFRM) in the Linux kernel. A local attacker could
use this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2017-16939)
It was discovered that the Linux kernel did not properly handle copy-on-
write of transparent huge pages. A local attacker could use this to cause a
denial of service (application crashes) or possibly gain adminis
OSV
linux-azure vulnerabilities
osv·2017-12-08·CVSS 7.0
CVE-2017-16939 [HIGH] linux-azure vulnerabilities
linux-azure vulnerabilities
Mohamed Ghannam discovered that a use-after-free vulnerability existed in
the Netlink subsystem (XFRM) in the Linux kernel. A local attacker could
use this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2017-16939)
It was discovered that the Linux kernel did not properly handle copy-on-
write of transparent huge pages. A local attacker could use this to cause a
denial of service (application crashes) or possibly gain administrative
privileges. (CVE-2017-1000405)
OSV
linux-gcp vulnerabilities
osv·2017-12-08·CVSS 7.0
CVE-2017-16939 [HIGH] linux-gcp vulnerabilities
linux-gcp vulnerabilities
Mohamed Ghannam discovered that a use-after-free vulnerability existed in
the Netlink subsystem (XFRM) in the Linux kernel. A local attacker could
use this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2017-16939)
It was discovered that the Linux kernel did not properly handle copy-on-
write of transparent huge pages. A local attacker could use this to cause a
denial of service (application crashes) or possibly gain administrative
privileges. (CVE-2017-1000405)
Fan Wu, Haoran Qiu, and Shixiong Zhao discovered that the associative array
implementation in the Linux kernel sometimes did not properly handle adding
a new entry. A local attacker could use this to cause a denial of service
(system crash). (CVE-2017-12193)
Eric B
OSV
linux vulnerabilities
osv·2017-12-08·CVSS 7.0
CVE-2017-16939 [HIGH] linux vulnerabilities
linux vulnerabilities
Mohamed Ghannam discovered that a use-after-free vulnerability existed in
the Netlink subsystem (XFRM) in the Linux kernel. A local attacker could
use this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2017-16939)
It was discovered that the Linux kernel did not properly handle copy-on-
write of transparent huge pages. A local attacker could use this to cause a
denial of service (application crashes) or possibly gain administrative
privileges. (CVE-2017-1000405)
OSV
linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities
osv·2017-12-07·CVSS 7.0
CVE-2017-16939 [HIGH] linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities
linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities
Mohamed Ghannam discovered that a use-after-free vulnerability existed in
the Netlink subsystem (XFRM) in the Linux kernel. A local attacker could
use this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2017-16939)
It was discovered that the Linux kernel did not properly handle copy-on-
write of transparent huge pages. A local attacker could use this to cause a
denial of service (application crashes) or possibly gain administrative
privileges. (CVE-2017-1000405)
Fan Wu, Haoran Qiu, and Shixiong Zhao discovered that the associative array
implementation in the Linux kernel sometimes did not properly handle adding
a new entry. A local attacker could use this to cause a denial o
OSV
linux-hwe vulnerabilities
osv·2017-12-07·CVSS 7.0
CVE-2017-16939 [HIGH] linux-hwe vulnerabilities
linux-hwe vulnerabilities
USN-3508-1 fixed vulnerabilities in the Linux kernel for Ubuntu 17.04.
This update provides the corresponding updates for the Linux
Hardware Enablement (HWE) kernel from Ubuntu 17.04 for Ubuntu
16.04 LTS.
Mohamed Ghannam discovered that a use-after-free vulnerability existed in
the Netlink subsystem (XFRM) in the Linux kernel. A local attacker could
use this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2017-16939)
It was discovered that the Linux kernel did not properly handle copy-on-
write of transparent huge pages. A local attacker could use this to cause a
denial of service (application crashes) or possibly gain administrative
privileges. (CVE-2017-1000405)
Yonggang Guo discovered that a race condition existed in the
OSV
linux-lts-xenial, linux-aws vulnerabilities
osv·2017-12-07·CVSS 7.0
[HIGH] linux-lts-xenial, linux-aws vulnerabilities
linux-lts-xenial, linux-aws vulnerabilities
USN-3509-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04
LTS. This update provides the corresponding updates for the Linux
Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu
14.04 LTS.
Mohamed Ghannam discovered that a use-after-free vulnerability existed in
the Netlink subsystem (XFRM) in the Linux kernel. A local attacker could
use this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2017-16939)
It was discovered that the Linux kernel did not properly handle copy-on-
write of transparent huge pages. A local attacker could use this to cause a
denial of service (application crashes) or possibly gain administrative
privileges. (CVE-2017-1000405)
Fan Wu, Haoran Qiu, and Shixiong Z
OSV
CVE-2017-1000405: The Linux Kernel versions 2
osv·2017-11-30·CVSS 7.0
CVE-2017-1000405 [HIGH] CVE-2017-1000405: The Linux Kernel versions 2
The Linux Kernel versions 2.6.38 through 4.14 have a problematic use of pmd_mkdirty() in the touch_pmd() function inside the THP implementation. touch_pmd() can be reached by get_user_pages(). In such case, the pmd will become dirty. This scenario breaks the new can_follow_write_pmd()'s logic - pmd can become dirty without going through a COW cycle. This bug is not as severe as the original "Dirty cow" because an ext4 file (or any other regular file) cannot be mapped using THP. Nevertheless, it does allow us to overwrite read-only huge pages. For example, the zero huge page and sealed shmem files can be overwritten (since their mapping can be populated using THP). Note that after the first write page-fault to the zero page, it will be replaced with a new fresh (and zeroed) thp.
No detection rules found.
Exploit-DB
Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zero Page (2)
exploitdb·2017-12-11
CVE-2017-1000405 Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zero Page (2)
Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zero Page (2)
---
/*
* The code is modified from https://www.exploit-db.com/exploits/43199/
*/
#define _GNU_SOURCE
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define TRIES_PER_PAGE (20000000)
#define PAGE_SIZE (0x1000)
#define MEMESET_VAL (0x41)
#define MAP_SIZE (0x200000)
#define STRING "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
#define OFFSIZE ((sizeof(STRING)-1)/sizeof(char))
struct args{
int fd;
void *p;
int stop;
off_t off;
char *chp;
};
void *write_thread(struct args *arg) {
for (int i = 0; i stop; i++) {
lseek(arg->fd, (off_t)(arg->chp + arg->off*OFFSIZE), SEEK_SET);
writ
Exploit-DB
Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zero Page (1)
exploitdb·2017-11-30
CVE-2017-1000405 Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zero Page (1)
Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zero Page (1)
---
// EDB Note: Source ~ https://medium.com/bindecy/huge-dirty-cow-cve-2017-1000405-110eca132de0
// EDB Note: Source ~ https://github.com/bindecy/HugeDirtyCowPOC
// Author Note: Before running, make sure to set transparent huge pages to "always":
// `echo always | sudo tee /sys/kernel/mm/transparent_hugepage/enabled`
//
//
// The Huge Dirty Cow POC. This program overwrites the system's huge zero page.
// Compile with "gcc -pthread main.c"
//
// November 2017
// Bindecy
//
#define _GNU_SOURCE
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define MAP_BASE ((void *)0x4000000)
#define MAP_SIZE (0x200000)
#define MEMESET_VAL (0x41)
#define PAGE_SIZE (0x1000)
#define TRIES_PE
Bugzilla
CVE-2017-1000405 kernel: pmd can become dirty without going through a COW cycle [fedora-all]
bugzilla·2017-11-30·CVSS 7.0
CVE-2017-1000405 [HIGH] CVE-2017-1000405 kernel: pmd can become dirty without going through a COW cycle [fedora-all]
CVE-2017-1000405 kernel: pmd can become dirty without going through a COW cycle [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple sup
Bugzilla
CVE-2017-1000405 kernel: pmd can become dirty without going through a COW cycle
bugzilla·2017-11-22·CVSS 7.0
CVE-2017-1000405 [HIGH] CVE-2017-1000405 kernel: pmd can become dirty without going through a COW cycle
CVE-2017-1000405 kernel: pmd can become dirty without going through a COW cycle
A flaw was found in the patches used to fix the 'dirtycow' vulnerability CVE-2016-5195). The touch_pmd() function can be accessed by get_user_pages(). In this case, the pmd will become dirty without going through the Copy On Write cycle.
In the simplest example, a large page that is read-only can be modified, including page 0 of a processes virtual address space.
Upstream patch:
https://github.com/torvalds/linux/commit/a8f97366452ed491d13cf1e44241bc0b5740b1f0
Vulnerability announcement:
http://www.openwall.com/lists/oss-security/2017/11/30/1
Discussion:
Acknowledgments:
Name: Eylon Ben Yaakov, Daniel Shapiro
---
Statement:
From the initial flaw description released, this issue does not affect the Lin
http://www.securityfocus.com/bid/102032http://www.securitytracker.com/id/1040020https://access.redhat.com/errata/RHSA-2018:0180https://medium.com/bindecy/huge-dirty-cow-cve-2017-1000405-110eca132de0https://source.android.com/security/bulletin/pixel/2018-02-01https://www.exploit-db.com/exploits/43199/http://www.securityfocus.com/bid/102032http://www.securitytracker.com/id/1040020https://access.redhat.com/errata/RHSA-2018:0180https://medium.com/bindecy/huge-dirty-cow-cve-2017-1000405-110eca132de0https://source.android.com/security/bulletin/pixel/2018-02-01https://www.exploit-db.com/exploits/43199/
2017-11-30
Published