Connect with us

Hi, what are you looking for?



Patch of Dirty COW Vulnerability Incomplete, Researchers Claim

The “Dirty COW” vulnerability (CVE-2016–5195) discovered last year in Linux was incompletely patched, Bindecy researchers say.

The “Dirty COW” vulnerability (CVE-2016–5195) discovered last year in Linux was incompletely patched, Bindecy researchers say.

The vulnerability was found to be caused by a race condition in the way the Linux kernel’s memory subsystem handles copy-on-write (COW) breakage of private read-only memory mappings. Discovered by Phil Oester, the bug could allow an unprivileged local attacker to escalate their privileges on a targeted system.

The vulnerability was found to impact Android as well, and could even escape containers. Soon after Google released a patch for the vulnerability, however, new attacks exploiting Dirty COW on Android were devised.

The most recent malware family to exploit the issue was observed in September of this year.

Although Dirty COW was one of the most hyped and branded vulnerabilities published, with every Linux version from the last decade affected, including Android, being vulnerable, the patch released for it stirred far little interest, Bindecy says. Because of that, over a year has passed since the patch was released, and no one noticed it was incomplete.

The original vulnerability impacted the get_user_pages function, which is used to get the physical pages behind virtual addresses in user processes. Basically, the bug would allow writing to the read-only privileged version of a page.

The fix for the vulnerability doesn’t reduce the requested permissions. Instead, “get_user_pages now remembers the fact the we went through a COW cycle,” the researchers explain.

Advertisement. Scroll to continue reading.

Thus, on the next iteration, a read-only page is provided for a write operation only if FOLL_FORCE and FOLL_COW flags are specified, and the PTE is marked as dirty.

The problem, the security researchers say, is that the patch “assumes that the read-only privileged copy of a page will never have a PTE pointing to it with the dirty bit on.”

Bindecy discovered that the vulnerability can still be reproduced when Transparent Huge Pages (THP) and Page Medium Directory (PMD – one level above the PTE level), are involved.

While Linux usually uses 4096-bytes long pages, THPs can be even 2MB long, although they can be split into normal pages. Usually, the default THP support is for anonymous mapping only, but can be turned on or off while the system is running.

THP is implemented by turning on the _PAGE_PSE bit of the PMD, which results in PMD pointing to a 2MB physical page instead of a directory of PTEs.

What the researchers discovered was that Dirty COW patch code that deals with THP contains a function called can_follow_write_pmd that basically applies the same logic of can_follow_write_pte to huge PMDs.

According to the researchers, however, the issue is that, when it comes to huge PMD, “a page can be marked dirty without going through a COW cycle, using the touch_pmd function.” Each time get_user_pages tries to get a huge page, a called function results in the page being marked dirty without going through a COW cycle. Thus, can_follow_write_pmd’s logic is broken, the researchers say.

“At this point, exploiting the bug is straightforward — we can use a similar pattern of the original Dirty COW race. This time, after we get rid of the copied version of the page, we have to fault the original page twice — first to make it present, and then to turn on the dirty bit,” Bindecy notes.

The security researchers revealed information on a couple of exploit scenarios and also published a proof-of-concept to demonstrate the exploit. They reported the vulnerability (which was assigned CVE-2017–1000405) to the kernel and distros mailing lists last week and a patch was already committed to mainline kernel.

“This bug demonstrates the importance of patch auditing in the security development life-cycle. As the Dirty COW case and other past cases show, even hyped vulnerabilities may get incomplete patches. The situation is not reserved for closed source software only; open source software suffers just as much,” the researchers conclude.

Related: Android Malware Exploits Dirty COW Vulnerability

Related: “Dirty COW” Linux Kernel Exploit Seen in the Wild

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.