Re: CVE-2022-2590: Linux kernel: Modifying shmem/tmpfs files without write permissions

[David Hildenbrand <david () redhat com>]

On 08.08.22 09:18, David Hildenbrand wrote:
> Hi,
>
> I found a security issue (CVE-2022-2590) in the Linux kernel similar to
> Dirty COW (CVE-2016-5195), however, restricted to shared memory (shmem /
> tmpfs). I notified distributions one week ago and the embargo ended today.
>
> An unprivileged user can modify file content of a shmem (tmpfs) file,
> even if that user does not have write permissions to the file. The file
> could be an executable.
>
> The introducing upstream commit ID is:
>   9ae0f87d009c ("mm/shmem: unconditionally set pte dirty in
>   mfill_atomic_install_pte")
>
> Linux >= v5.16 is affected on x86-64 and aarch64 if the kernel is
> compiled with CONFIG_USERFAULTFD=y. For Linux < v5.19 it's sufficient to
> revert the problematic commit, which is possible with minor contextual
> conflicts. For Linux >= v5.19 I'll send a proposal fix today.
>
> I have a working reproducer that I will post as reply to this mail in
> one week (August 15).

Hi,

attached is the reproducer. When run without arguments, it will test
with a memfd that is sealed for writes.

upstream, 5.18-stable and 5.19-stable are still to be fixed. The fix is
on its way upstream and us already in -next, so I suppose it should all
be fixed fairly soonish.

-- 
Thanks,

David / dhildenb

Attachment: reproducer.c
Description: