CVE-2017-1000405
Published: 30 November 2017
The Linux Kernel versions 2.6.38 through 4.14 have a problematic use of pmd_mkdirty() in the touch_pmd() function inside the THP implementation. touch_pmd() can be reached by get_user_pages(). In such case, the pmd will become dirty. This scenario breaks the new can_follow_write_pmd()'s logic - pmd can become dirty without going through a COW cycle. This bug is not as severe as the original "Dirty cow" because an ext4 file (or any other regular file) cannot be mapped using THP. Nevertheless, it does allow us to overwrite read-only huge pages. For example, the zero huge page and sealed shmem files can be overwritten (since their mapping can be populated using THP). Note that after the first write page-fault to the zero page, it will be replaced with a new fresh (and zeroed) thp.
From the Ubuntu Security Team
It was discovered that the Linux kernel did not properly handle copy-on- write of transparent huge pages. A local attacker could use this to cause a denial of service (application crashes) or possibly gain administrative privileges.
Notes
Author | Note |
---|---|
smb | Added introducing commit as suggested by RH. We backported that into Trusty and later but not into Precise. |
Priority
Status
Package | Release | Status |
---|---|---|
linux Launchpad, Ubuntu, Debian |
artful |
Released
(4.13.0-19.22)
|
precise |
Not vulnerable
|
|
trusty |
Released
(3.13.0-137.186)
|
|
upstream |
Released
(4.15~rc2)
|
|
xenial |
Released
(4.4.0-103.126)
|
|
zesty |
Released
(4.10.0-42.46)
|
|
Patches: Introduced by 8310d48b125d19fcd9521d83b8293e63eb1646aa |
||
linux-armadaxp Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
precise |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(4.15~rc2)
|
|
xenial |
Does not exist
|
|
zesty |
Does not exist
|
|
This package is not directly supported by the Ubuntu Security Team | ||
linux-aws Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
precise |
Does not exist
|
|
trusty |
Released
(4.4.0-1005.5)
|
|
upstream |
Released
(4.15~rc2)
|
|
xenial |
Released
(4.4.0-1043.52)
|
|
zesty |
Does not exist
|
|
linux-azure Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
precise |
Does not exist
|
|
trusty |
Not vulnerable
(4.15.0-1023.24~14.04.1)
|
|
upstream |
Released
(4.15~rc2)
|
|
xenial |
Released
(4.11.0-1016.16)
|
|
zesty |
Does not exist
|
|
linux-euclid Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
precise |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(4.15~rc2)
|
|
xenial |
Not vulnerable
|
|
zesty |
Does not exist
|
|
linux-flo Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
precise |
Does not exist
|
|
trusty |
Does not exist
(trusty was ignored [abandoned])
|
|
upstream |
Released
(4.15~rc2)
|
|
xenial |
Ignored
(abandoned)
|
|
zesty |
Does not exist
|
|
linux-gcp Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
precise |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(4.15~rc2)
|
|
xenial |
Released
(4.13.0-1002.5)
|
|
zesty |
Does not exist
|
|
linux-gke Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
precise |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(4.15~rc2)
|
|
xenial |
Ignored
(was pending now end-of-life)
|
|
zesty |
Does not exist
|
|
linux-goldfish Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
precise |
Does not exist
|
|
trusty |
Does not exist
(trusty was ignored [abandoned])
|
|
upstream |
Released
(4.15~rc2)
|
|
xenial |
Not vulnerable
|
|
zesty |
Not vulnerable
|
|
linux-grouper Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
precise |
Does not exist
|
|
trusty |
Does not exist
(trusty was ignored [abandoned])
|
|
upstream |
Released
(4.15~rc2)
|
|
xenial |
Does not exist
|
|
zesty |
Does not exist
|
|
linux-hwe Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
precise |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(4.15~rc2)
|
|
xenial |
Released
(4.10.0-42.46~16.04.1)
|
|
zesty |
Does not exist
|
|
linux-hwe-edge Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
precise |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(4.15~rc2)
|
|
xenial |
Released
(4.10.0-42.46~16.04.1)
|
|
zesty |
Does not exist
|
|
linux-kvm Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
precise |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(4.15~rc2)
|
|
xenial |
Released
(4.4.0-1012.17)
|
|
zesty |
Does not exist
|
|
linux-linaro-omap Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
precise |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(4.15~rc2)
|
|
xenial |
Does not exist
|
|
zesty |
Does not exist
|
|
linux-linaro-shared Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
precise |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(4.15~rc2)
|
|
xenial |
Does not exist
|
|
zesty |
Does not exist
|
|
linux-linaro-vexpress Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
precise |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(4.15~rc2)
|
|
xenial |
Does not exist
|
|
zesty |
Does not exist
|
|
linux-lts-quantal Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
precise |
Ignored
(end-of-life)
|
|
trusty |
Does not exist
|
|
upstream |
Released
(4.15~rc2)
|
|
xenial |
Does not exist
|
|
zesty |
Does not exist
|
|
This package is not directly supported by the Ubuntu Security Team | ||
linux-lts-raring Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
precise |
Ignored
(end-of-life)
|
|
trusty |
Does not exist
|
|
upstream |
Released
(4.15~rc2)
|
|
xenial |
Does not exist
|
|
zesty |
Does not exist
|
|
linux-lts-saucy Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
precise |
Ignored
(end-of-life)
|
|
trusty |
Does not exist
|
|
upstream |
Released
(4.15~rc2)
|
|
xenial |
Does not exist
|
|
zesty |
Does not exist
|
|
This package is not directly supported by the Ubuntu Security Team | ||
linux-lts-trusty Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
precise |
Released
(3.13.0-137.186~precise1)
|
|
trusty |
Does not exist
|
|
upstream |
Released
(4.15~rc2)
|
|
xenial |
Does not exist
|
|
zesty |
Does not exist
|
|
linux-lts-utopic Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
precise |
Does not exist
|
|
trusty |
Does not exist
(trusty was ignored [out of standard support])
|
|
upstream |
Released
(4.15~rc2)
|
|
xenial |
Does not exist
|
|
zesty |
Does not exist
|
|
linux-lts-vivid Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
precise |
Does not exist
|
|
trusty |
Does not exist
(trusty was ignored [was needs-triage now end-of-life])
|
|
upstream |
Released
(4.15~rc2)
|
|
xenial |
Does not exist
|
|
zesty |
Does not exist
|
|
linux-lts-wily Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
precise |
Does not exist
|
|
trusty |
Does not exist
(trusty was ignored [out of standard support])
|
|
upstream |
Released
(4.15~rc2)
|
|
xenial |
Does not exist
|
|
zesty |
Does not exist
|
|
linux-lts-xenial Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
precise |
Does not exist
|
|
trusty |
Released
(4.4.0-103.126~14.04.1)
|
|
upstream |
Released
(4.15~rc2)
|
|
xenial |
Does not exist
|
|
zesty |
Does not exist
|
|
linux-maguro Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
precise |
Does not exist
|
|
trusty |
Does not exist
(trusty was ignored [abandoned])
|
|
upstream |
Released
(4.15~rc2)
|
|
xenial |
Does not exist
|
|
zesty |
Does not exist
|
|
linux-mako Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
precise |
Does not exist
|
|
trusty |
Does not exist
(trusty was ignored [abandoned])
|
|
upstream |
Released
(4.15~rc2)
|
|
xenial |
Ignored
(abandoned)
|
|
zesty |
Does not exist
|
|
linux-manta Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
precise |
Does not exist
|
|
trusty |
Does not exist
(trusty was ignored [abandoned])
|
|
upstream |
Released
(4.15~rc2)
|
|
xenial |
Does not exist
|
|
zesty |
Does not exist
|
|
linux-oem Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
precise |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(4.15~rc2)
|
|
xenial |
Released
(4.13.0-1010.11)
|
|
zesty |
Does not exist
|
|
linux-qcm-msm Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
precise |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(4.15~rc2)
|
|
xenial |
Does not exist
|
|
zesty |
Does not exist
|
|
linux-raspi2 Launchpad, Ubuntu, Debian |
artful |
Released
(4.13.0-1008.8)
|
precise |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(4.15~rc2)
|
|
xenial |
Released
(4.4.0-1079.87)
|
|
zesty |
Released
(4.10.0-1023.26)
|
|
linux-snapdragon Launchpad, Ubuntu, Debian |
artful |
Released
(4.4.0-1081.86)
|
precise |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(4.15~rc2)
|
|
xenial |
Released
(4.4.0-1081.86)
|
|
zesty |
Released
(4.4.0-1081.86)
|
|
linux-ti-omap4 Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
precise |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(4.15~rc2)
|
|
xenial |
Does not exist
|
|
zesty |
Does not exist
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 7.0 |
Attack vector | Local |
Attack complexity | High |
Privileges required | Low |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | High |
Availability impact | High |
Vector | CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000405
- https://medium.com/bindecy/huge-dirty-cow-cve-2017-1000405-110eca132de0
- http://www.openwall.com/lists/oss-security/2017/11/30/1
- https://bugzilla.redhat.com/show_bug.cgi?id=1516514
- https://ubuntu.com/security/notices/USN-3511-1
- https://ubuntu.com/security/notices/USN-3510-1
- https://ubuntu.com/security/notices/USN-3510-2
- https://ubuntu.com/security/notices/USN-3509-1
- https://ubuntu.com/security/notices/USN-3509-2
- https://ubuntu.com/security/notices/USN-3508-1
- https://ubuntu.com/security/notices/USN-3508-2
- https://ubuntu.com/security/notices/USN-3507-1
- https://ubuntu.com/security/notices/USN-3507-2
- NVD
- Launchpad
- Debian