CVE-2017-1000405
Description
The Linux Kernel versions 2.6.38 through 4.14 have a problematic use of pmd_mkdirty() in the touch_pmd() function inside the THP implementation. touch_pmd() can be reached by get_user_pages(). In such case, the pmd will become dirty. This scenario breaks the new can_follow_write_pmd()'s logic - pmd can become dirty without going through a COW cycle. This bug is not as severe as the original "Dirty cow" because an ext4 file (or any other regular file) cannot be mapped using THP. Nevertheless, it does allow us to overwrite read-only huge pages. For example, the zero huge page and sealed shmem files can be overwritten (since their mapping can be populated using THP). Note that after the first write page-fault to the zero page, it will be replaced with a new fresh (and zeroed) thp.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zero Page (1)
Linux Kernel - 'The Huge Dirty Cow' Overwriting The Huge Zero Page (2)
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| sles | affected | | |
| debian | bookworm | fixed | 4.14.2-1 |
| debian | bullseye | fixed | 4.14.2-1 |
| debian | forky | fixed | 4.14.2-1 |
| debian | sid | fixed | 4.14.2-1 |
| debian | trixie | fixed | 4.14.2-1 |
| linux-kernel | affected | 3.3 |
References
- http://www.securityfocus.com/bid/102032
- http://www.securitytracker.com/id/1040020
- https://access.redhat.com/errata/RHSA-2018:0180
- https://medium.com/bindecy/huge-dirty-cow-cve-2017-1000405-110eca132de0
- https://source.android.com/security/bulletin/pixel/2018-02-01
- https://www.exploit-db.com/exploits/43199/
- https://www.suse.com/security/cve/CVE-2017-1000405.html
- https://security-tracker.debian.org/tracker/CVE-2017-1000405
CWEs
CWE-362
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.