oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE-2022-2590: Linux kernel: Modifying shmem/tmpfs files without write permissions

From: Solar Designer <solar () openwall com>
Date: Mon, 8 Aug 2022 12:00:42 +0200
On Mon, Aug 08, 2022 at 09:18:27AM +0200, David Hildenbrand wrote:

I found a security issue (CVE-2022-2590) in the Linux kernel similar to
Dirty COW (CVE-2016-5195), however, restricted to shared memory (shmem /
tmpfs). I notified distributions one week ago and the embargo ended today.

An unprivileged user can modify file content of a shmem (tmpfs) file,
even if that user does not have write permissions to the file. The file
could be an executable.

The introducing upstream commit ID is:
  9ae0f87d009c ("mm/shmem: unconditionally set pte dirty in
  mfill_atomic_install_pte")

Linux >= v5.16 is affected on x86-64 and aarch64 if the kernel is
compiled with CONFIG_USERFAULTFD=y. For Linux < v5.19 it's sufficient to
revert the problematic commit, which is possible with minor contextual
conflicts. For Linux >= v5.19 I'll send a proposal fix today.


Thanks, David!

Apparently, your proposed fix for Linux >= v5.19 is this, as you posted
to linux-kernel and linux-mm:

[PATCH v1] mm/gup: fix FOLL_FORCE COW security issue and remove FOLL_COW
https://lists.openwall.net/linux-kernel/2022/08/08/418
https://lore.kernel.org/linux-mm/20220808073232.8808-1-david () redhat com/
(two links to the same message)


I have a working reproducer that I will post as reply to this mail in
one week (August 15).


Alexander
Previous By Date Next
Previous By Thread Next

Current thread: