Linus Torvalds last week rushed a patch into the Linux kernel, after researchers discovered the patch for 2016's Dirty COW bug had a bug of its own.
Dirty COW is a privilege escalation vulnerability in Linux's “copy-on-write” mechanism, first documented in October 2016 and affecting both Linux and Android systems.
As The Register wrote at the time, the problem means "programs can set up a race condition to tamper with what should be a read-only root-owned executable mapped into memory. The changes are then committed to storage, allowing a non-privileged user to alter root-owned files and setuid executables – and at this point, it's game over.”
It was patched promptly, but last week, this post at the OSS-Sec mailing list explained the slip-up in the patch. Discovered by researchers from Bindecy, “Huge Dirty Cow” is discussed in detail here .
“In the 'Dirty COW' vulnerability patch (CVE-2016-5195),
was changed to take into account the new
flag (8310d48b125d '
mm/huge_memory.c: respect FOLL_FORCE/FOLL_COW
Bindecy's Eylon Ben Yaakov and Daniel Shapiro found a slip up in the use of
function, the post said.
What's that mean? The
, “which makes writing on read-only transparent huge pages possible”, and from there Yaakov and Shapiro found ways to crash a variety of processes.
They've published their proof-of-concept here .
Android doesn't suffer from “HugeDirtyCow”. Red Hat Enterprise Linux is also safe. Many other *nixes do have the bug: “Every kernel version with THP support and the Dirty COW patch should be vulnerable (2.6.38 – 4.14)”, Yaakov and Shapiro wrote.
The kernel got its patch on November 27, before the bug was announced to the public. ®