cnvd - cnvd-2017-36468

cnvd-2017-36468

Vulnerability from cnvd

Title: Linux Kernel本地竞争条件漏洞

Description:

Linux kernel是美国Linux基金会发布的开源操作系统Linux所使用的内核。

Linux Kernel 2.6.38版本至4.14版本中的THP实现的‘touch_pmd()’函数存在本地竞争条件漏洞，该漏洞源于程序未能正确的使用‘pmd_mkdirty()’函数。攻击者可利用该漏洞覆盖只读权限的大页。

Severity: 低

Patch Name: Linux Kernel本地竞争条件漏洞的补丁

Patch Description:

Linux kernel是美国Linux基金会发布的开源操作系统Linux所使用的内核。

Linux Kernel 2.6.38版本至4.14版本中的THP实现的‘touch_pmd()’函数存在本地竞争条件漏洞，该漏洞源于程序未能正确的使用‘pmd_mkdirty()’函数。攻击者可利用该漏洞覆盖只读权限的大页。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description:

目前厂商已发布升级补丁以修复漏洞，补丁获取链接： https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a8f97366452ed491d13cf1e44241bc0b5740b1f0

Reference: https://medium.com/bindecy/huge-dirty-cow-cve-2017-1000405-110eca132de0

Impacted products

Name
Linux kernel >=2.6.38，<=4.14

Show details on source website

JSON

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "102032"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2017-1000405"
    }
  },
  "description": "Linux kernel\u662f\u7f8e\u56fdLinux\u57fa\u91d1\u4f1a\u53d1\u5e03\u7684\u5f00\u6e90\u64cd\u4f5c\u7cfb\u7edfLinux\u6240\u4f7f\u7528\u7684\u5185\u6838\u3002\r\n\r\nLinux Kernel 2.6.38\u7248\u672c\u81f34.14\u7248\u672c\u4e2d\u7684THP\u5b9e\u73b0\u7684\u2018touch_pmd()\u2019\u51fd\u6570\u5b58\u5728\u672c\u5730\u7ade\u4e89\u6761\u4ef6\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u672a\u80fd\u6b63\u786e\u7684\u4f7f\u7528\u2018pmd_mkdirty()\u2019\u51fd\u6570\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u8986\u76d6\u53ea\u8bfb\u6743\u9650\u7684\u5927\u9875\u3002",
  "discovererName": "Eylon Ben Yaakov and Daniel Shapiro.",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a8f97366452ed491d13cf1e44241bc0b5740b1f0",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2017-36468",
  "openTime": "2017-12-07",
  "patchDescription": "Linux kernel\u662f\u7f8e\u56fdLinux\u57fa\u91d1\u4f1a\u53d1\u5e03\u7684\u5f00\u6e90\u64cd\u4f5c\u7cfb\u7edfLinux\u6240\u4f7f\u7528\u7684\u5185\u6838\u3002\r\n\r\nLinux Kernel 2.6.38\u7248\u672c\u81f34.14\u7248\u672c\u4e2d\u7684THP\u5b9e\u73b0\u7684\u2018touch_pmd()\u2019\u51fd\u6570\u5b58\u5728\u672c\u5730\u7ade\u4e89\u6761\u4ef6\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u672a\u80fd\u6b63\u786e\u7684\u4f7f\u7528\u2018pmd_mkdirty()\u2019\u51fd\u6570\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u8986\u76d6\u53ea\u8bfb\u6743\u9650\u7684\u5927\u9875\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Linux Kernel\u672c\u5730\u7ade\u4e89\u6761\u4ef6\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": "Linux kernel \u003e=2.6.38\uff0c\u003c=4.14"
  },
  "referenceLink": "https://medium.com/bindecy/huge-dirty-cow-cve-2017-1000405-110eca132de0",
  "serverity": "\u4f4e",
  "submitTime": "2017-12-04",
  "title": "Linux Kernel\u672c\u5730\u7ade\u4e89\u6761\u4ef6\u6f0f\u6d1e"
}

CVE-2017-1000405 (GCVE-0-2017-1000405)

Vulnerability from cvelistv5

Published

2017-11-30 22:00

Modified

2024-08-05 22:00

Severity ?

CWE

Summary

The Linux Kernel versions 2.6.38 through 4.14 have a problematic use of pmd_mkdirty() in the touch_pmd() function inside the THP implementation. touch_pmd() can be reached by get_user_pages(). In such case, the pmd will become dirty. This scenario breaks the new can_follow_write_pmd()'s logic - pmd can become dirty without going through a COW cycle. This bug is not as severe as the original "Dirty cow" because an ext4 file (or any other regular file) cannot be mapped using THP. Nevertheless, it does allow us to overwrite read-only huge pages. For example, the zero huge page and sealed shmem files can be overwritten (since their mapping can be populated using THP). Note that after the first write page-fault to the zero page, it will be replaced with a new fresh (and zeroed) thp.

References

▼	URL	Tags
	http://www.securityfocus.com/bid/102032	vdb-entry, x_refsource_BID
	https://access.redhat.com/errata/RHSA-2018:0180	vendor-advisory, x_refsource_REDHAT
	https://medium.com/bindecy/huge-dirty-cow-cve-2017-1000405-110eca132de0	x_refsource_MISC
	https://source.android.com/security/bulletin/pixel/2018-02-01	x_refsource_CONFIRM
	http://www.securitytracker.com/id/1040020	vdb-entry, x_refsource_SECTRACK
	https://www.exploit-db.com/exploits/43199/	exploit, x_refsource_EXPLOIT-DB

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T22:00:40.830Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "102032",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/102032"
          },
          {
            "name": "RHSA-2018:0180",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2018:0180"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://medium.com/bindecy/huge-dirty-cow-cve-2017-1000405-110eca132de0"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://source.android.com/security/bulletin/pixel/2018-02-01"
          },
          {
            "name": "1040020",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id/1040020"
          },
          {
            "name": "43199",
            "tags": [
              "exploit",
              "x_refsource_EXPLOIT-DB",
              "x_transferred"
            ],
            "url": "https://www.exploit-db.com/exploits/43199/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "dateAssigned": "2017-11-22T00:00:00",
      "datePublic": "2017-11-27T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The Linux Kernel versions 2.6.38 through 4.14 have a problematic use of pmd_mkdirty() in the touch_pmd() function inside the THP implementation. touch_pmd() can be reached by get_user_pages(). In such case, the pmd will become dirty. This scenario breaks the new can_follow_write_pmd()\u0027s logic - pmd can become dirty without going through a COW cycle. This bug is not as severe as the original \"Dirty cow\" because an ext4 file (or any other regular file) cannot be mapped using THP. Nevertheless, it does allow us to overwrite read-only huge pages. For example, the zero huge page and sealed shmem files can be overwritten (since their mapping can be populated using THP). Note that after the first write page-fault to the zero page, it will be replaced with a new fresh (and zeroed) thp."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-02-12T18:57:01",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "name": "102032",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/102032"
        },
        {
          "name": "RHSA-2018:0180",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2018:0180"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://medium.com/bindecy/huge-dirty-cow-cve-2017-1000405-110eca132de0"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://source.android.com/security/bulletin/pixel/2018-02-01"
        },
        {
          "name": "1040020",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id/1040020"
        },
        {
          "name": "43199",
          "tags": [
            "exploit",
            "x_refsource_EXPLOIT-DB"
          ],
          "url": "https://www.exploit-db.com/exploits/43199/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "DATE_ASSIGNED": "2017-11-22",
          "ID": "CVE-2017-1000405",
          "REQUESTER": "contact@bindecy.com",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The Linux Kernel versions 2.6.38 through 4.14 have a problematic use of pmd_mkdirty() in the touch_pmd() function inside the THP implementation. touch_pmd() can be reached by get_user_pages(). In such case, the pmd will become dirty. This scenario breaks the new can_follow_write_pmd()\u0027s logic - pmd can become dirty without going through a COW cycle. This bug is not as severe as the original \"Dirty cow\" because an ext4 file (or any other regular file) cannot be mapped using THP. Nevertheless, it does allow us to overwrite read-only huge pages. For example, the zero huge page and sealed shmem files can be overwritten (since their mapping can be populated using THP). Note that after the first write page-fault to the zero page, it will be replaced with a new fresh (and zeroed) thp."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "102032",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/102032"
            },
            {
              "name": "RHSA-2018:0180",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2018:0180"
            },
            {
              "name": "https://medium.com/bindecy/huge-dirty-cow-cve-2017-1000405-110eca132de0",
              "refsource": "MISC",
              "url": "https://medium.com/bindecy/huge-dirty-cow-cve-2017-1000405-110eca132de0"
            },
            {
              "name": "https://source.android.com/security/bulletin/pixel/2018-02-01",
              "refsource": "CONFIRM",
              "url": "https://source.android.com/security/bulletin/pixel/2018-02-01"
            },
            {
              "name": "1040020",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id/1040020"
            },
            {
              "name": "43199",
              "refsource": "EXPLOIT-DB",
              "url": "https://www.exploit-db.com/exploits/43199/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2017-1000405",
    "datePublished": "2017-11-30T22:00:00",
    "dateReserved": "2017-11-29T00:00:00",
    "dateUpdated": "2024-08-05T22:00:40.830Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted