oss-sec mailing list archives

CVE-2022-2590: Linux kernel: Modifying shmem/tmpfs files without write permissions

From: David Hildenbrand <david () redhat com>
Date: Mon, 8 Aug 2022 09:18:27 +0200

Hi,

I found a security issue (CVE-2022-2590) in the Linux kernel similar to
Dirty COW (CVE-2016-5195), however, restricted to shared memory (shmem /
tmpfs). I notified distributions one week ago and the embargo ended today.

An unprivileged user can modify file content of a shmem (tmpfs) file,
even if that user does not have write permissions to the file. The file
could be an executable.

The introducing upstream commit ID is:
  9ae0f87d009c ("mm/shmem: unconditionally set pte dirty in
  mfill_atomic_install_pte")

Linux >= v5.16 is affected on x86-64 and aarch64 if the kernel is
compiled with CONFIG_USERFAULTFD=y. For Linux < v5.19 it's sufficient to
revert the problematic commit, which is possible with minor contextual
conflicts. For Linux >= v5.19 I'll send a proposal fix today.

I have a working reproducer that I will post as reply to this mail in
one week (August 15).

-- 
Thanks,

David / dhildenb

Current thread:

CVE-2022-2590: Linux kernel: Modifying shmem/tmpfs files without write permissions David Hildenbrand (Aug 08)
- Re: CVE-2022-2590: Linux kernel: Modifying shmem/tmpfs files without write permissions Solar Designer (Aug 08)
- Re: CVE-2022-2590: Linux kernel: Modifying shmem/tmpfs files without write permissions David Hildenbrand (Aug 08)
- Re: CVE-2022-2590: Linux kernel: Modifying shmem/tmpfs files without write permissions Demi Marie Obenour (Aug 08)
  - Re: CVE-2022-2590: Linux kernel: Modifying shmem/tmpfs files without write permissions David Hildenbrand (Aug 09)
- Re: CVE-2022-2590: Linux kernel: Modifying shmem/tmpfs files without write permissions David Hildenbrand (Aug 15)