oss-sec mailing list archives
Re: CVE-2022-2590: Linux kernel: Modifying shmem/tmpfs files without write permissions
From: Solar Designer <solar () openwall com>
Date: Mon, 8 Aug 2022 12:00:42 +0200
On Mon, Aug 08, 2022 at 09:18:27AM +0200, David Hildenbrand wrote:
I found a security issue (CVE-2022-2590) in the Linux kernel similar to Dirty COW (CVE-2016-5195), however, restricted to shared memory (shmem / tmpfs). I notified distributions one week ago and the embargo ended today. An unprivileged user can modify file content of a shmem (tmpfs) file, even if that user does not have write permissions to the file. The file could be an executable. The introducing upstream commit ID is: 9ae0f87d009c ("mm/shmem: unconditionally set pte dirty in mfill_atomic_install_pte") Linux >= v5.16 is affected on x86-64 and aarch64 if the kernel is compiled with CONFIG_USERFAULTFD=y. For Linux < v5.19 it's sufficient to revert the problematic commit, which is possible with minor contextual conflicts. For Linux >= v5.19 I'll send a proposal fix today.
Thanks, David! Apparently, your proposed fix for Linux >= v5.19 is this, as you posted to linux-kernel and linux-mm: [PATCH v1] mm/gup: fix FOLL_FORCE COW security issue and remove FOLL_COW https://lists.openwall.net/linux-kernel/2022/08/08/418 https://lore.kernel.org/linux-mm/20220808073232.8808-1-david () redhat com/ (two links to the same message)
I have a working reproducer that I will post as reply to this mail in one week (August 15).
Alexander
Current thread:
- CVE-2022-2590: Linux kernel: Modifying shmem/tmpfs files without write permissions David Hildenbrand (Aug 08)
- Re: CVE-2022-2590: Linux kernel: Modifying shmem/tmpfs files without write permissions Solar Designer (Aug 08)
- Re: CVE-2022-2590: Linux kernel: Modifying shmem/tmpfs files without write permissions David Hildenbrand (Aug 08)
- Re: CVE-2022-2590: Linux kernel: Modifying shmem/tmpfs files without write permissions Demi Marie Obenour (Aug 08)
- Re: CVE-2022-2590: Linux kernel: Modifying shmem/tmpfs files without write permissions David Hildenbrand (Aug 09)
- Re: CVE-2022-2590: Linux kernel: Modifying shmem/tmpfs files without write permissions David Hildenbrand (Aug 15)