oss-sec mailing list archives
Re: CVE-2022-2590: Linux kernel: Modifying shmem/tmpfs files without write permissions
From: David Hildenbrand <david () redhat com>
Date: Mon, 15 Aug 2022 08:59:02 +0200
On 08.08.22 09:18, David Hildenbrand wrote:
Hi, I found a security issue (CVE-2022-2590) in the Linux kernel similar to Dirty COW (CVE-2016-5195), however, restricted to shared memory (shmem / tmpfs). I notified distributions one week ago and the embargo ended today. An unprivileged user can modify file content of a shmem (tmpfs) file, even if that user does not have write permissions to the file. The file could be an executable. The introducing upstream commit ID is: 9ae0f87d009c ("mm/shmem: unconditionally set pte dirty in mfill_atomic_install_pte") Linux >= v5.16 is affected on x86-64 and aarch64 if the kernel is compiled with CONFIG_USERFAULTFD=y. For Linux < v5.19 it's sufficient to revert the problematic commit, which is possible with minor contextual conflicts. For Linux >= v5.19 I'll send a proposal fix today. I have a working reproducer that I will post as reply to this mail in one week (August 15).
Hi, attached is the reproducer. When run without arguments, it will test with a memfd that is sealed for writes. upstream, 5.18-stable and 5.19-stable are still to be fixed. The fix is on its way upstream and us already in -next, so I suppose it should all be fixed fairly soonish. -- Thanks, David / dhildenb
Attachment:
reproducer.c
Description:
Current thread:
- CVE-2022-2590: Linux kernel: Modifying shmem/tmpfs files without write permissions David Hildenbrand (Aug 08)
- Re: CVE-2022-2590: Linux kernel: Modifying shmem/tmpfs files without write permissions Solar Designer (Aug 08)
- Re: CVE-2022-2590: Linux kernel: Modifying shmem/tmpfs files without write permissions David Hildenbrand (Aug 08)
- Re: CVE-2022-2590: Linux kernel: Modifying shmem/tmpfs files without write permissions Demi Marie Obenour (Aug 08)
- Re: CVE-2022-2590: Linux kernel: Modifying shmem/tmpfs files without write permissions David Hildenbrand (Aug 09)
- Re: CVE-2022-2590: Linux kernel: Modifying shmem/tmpfs files without write permissions David Hildenbrand (Aug 15)