CVE-2017-1000405

The Linux Kernel versions 2.6.38 through 4.14 have a problematic use of pmd_mkdirty() in the touch_pmd() function inside the THP implementation. touch_pmd() can be reached by get_user_pages(). In such case, the pmd will become dirty. This scenario breaks the new can_follow_write_pmd()'s logic - pmd can become dirty without going through a COW cycle. This bug is not as severe as the original "Dirty cow" because an ext4 file (or any other regular file) cannot be mapped using THP. Nevertheless, it does allow us to overwrite read-only huge pages. For example, the zero huge page and sealed shmem files can be overwritten (since their mapping can be populated using THP). Note that after the first write page-fault to the zero page, it will be replaced with a new fresh (and zeroed) thp.

From the Ubuntu Security Team

It was discovered that the Linux kernel did not properly handle copy-on- write of transparent huge pages. A local attacker could use this to cause a denial of service (application crashes) or possibly gain administrative privileges.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
linux	17.10 artful	Fixed 4.13.0-19.22
	17.04 zesty	Fixed 4.10.0-42.46
	16.04 LTS xenial	Fixed 4.4.0-103.126
	14.04 LTS trusty	Fixed 3.13.0-137.186
linux-armadaxp	17.10 artful	Not in release
	17.04 zesty	Not in release
	16.04 LTS xenial	Not in release
	14.04 LTS trusty	Not in release
linux-aws	17.10 artful	Not in release
	17.04 zesty	Not in release
	16.04 LTS xenial	Fixed 4.4.0-1043.52
	14.04 LTS trusty	Fixed 4.4.0-1005.5
linux-azure	17.10 artful	Not in release
	17.04 zesty	Not in release
	16.04 LTS xenial	Fixed 4.11.0-1016.16
	14.04 LTS trusty	Not affected
linux-euclid	17.10 artful	Not in release
	17.04 zesty	Not in release
	16.04 LTS xenial	Not affected
	14.04 LTS trusty	Not in release
linux-flo	17.10 artful	Not in release
	17.04 zesty	Not in release
	16.04 LTS xenial	Ignored
	14.04 LTS trusty	Not in release
linux-gcp	17.10 artful	Not in release
	17.04 zesty	Not in release
	16.04 LTS xenial	Fixed 4.13.0-1002.5
	14.04 LTS trusty	Not in release
linux-gke	17.10 artful	Not in release
	17.04 zesty	Not in release
	16.04 LTS xenial	Ignored
	14.04 LTS trusty	Not in release
linux-goldfish	17.10 artful	Not in release
	17.04 zesty	Not affected
	16.04 LTS xenial	Not affected
	14.04 LTS trusty	Not in release
linux-grouper	17.10 artful	Not in release
	17.04 zesty	Not in release
	16.04 LTS xenial	Not in release
	14.04 LTS trusty	Not in release
linux-hwe	17.10 artful	Not in release
	17.04 zesty	Not in release
	16.04 LTS xenial	Fixed 4.10.0-42.46~16.04.1
	14.04 LTS trusty	Not in release
linux-hwe-edge	17.10 artful	Not in release
	17.04 zesty	Not in release
	16.04 LTS xenial	Fixed 4.10.0-42.46~16.04.1
	14.04 LTS trusty	Not in release
linux-kvm	17.10 artful	Not in release
	17.04 zesty	Not in release
	16.04 LTS xenial	Fixed 4.4.0-1012.17
	14.04 LTS trusty	Not in release
linux-linaro-omap	17.10 artful	Not in release
	17.04 zesty	Not in release
	16.04 LTS xenial	Not in release
	14.04 LTS trusty	Not in release
linux-linaro-shared	17.10 artful	Not in release
	17.04 zesty	Not in release
	16.04 LTS xenial	Not in release
	14.04 LTS trusty	Not in release
linux-linaro-vexpress	17.10 artful	Not in release
	17.04 zesty	Not in release
	16.04 LTS xenial	Not in release
	14.04 LTS trusty	Not in release
linux-lts-quantal	17.10 artful	Not in release
	17.04 zesty	Not in release
	16.04 LTS xenial	Not in release
	14.04 LTS trusty	Not in release
linux-lts-raring	17.10 artful	Not in release
	17.04 zesty	Not in release
	16.04 LTS xenial	Not in release
	14.04 LTS trusty	Not in release
linux-lts-saucy	17.10 artful	Not in release
	17.04 zesty	Not in release
	16.04 LTS xenial	Not in release
	14.04 LTS trusty	Not in release
linux-lts-trusty	17.10 artful	Not in release
	17.04 zesty	Not in release
	16.04 LTS xenial	Not in release
	14.04 LTS trusty	Not in release
linux-lts-utopic	17.10 artful	Not in release
	17.04 zesty	Not in release
	16.04 LTS xenial	Not in release
	14.04 LTS trusty	Not in release
linux-lts-vivid	17.10 artful	Not in release
	17.04 zesty	Not in release
	16.04 LTS xenial	Not in release
	14.04 LTS trusty	Ignored
linux-lts-wily	17.10 artful	Not in release
	17.04 zesty	Not in release
	16.04 LTS xenial	Not in release
	14.04 LTS trusty	Not in release
linux-lts-xenial	17.10 artful	Not in release
	17.04 zesty	Not in release
	16.04 LTS xenial	Not in release
	14.04 LTS trusty	Fixed 4.4.0-103.126~14.04.1
linux-maguro	17.10 artful	Not in release
	17.04 zesty	Not in release
	16.04 LTS xenial	Not in release
	14.04 LTS trusty	Not in release
linux-mako	17.10 artful	Not in release
	17.04 zesty	Not in release
	16.04 LTS xenial	Ignored
	14.04 LTS trusty	Not in release
linux-manta	17.10 artful	Not in release
	17.04 zesty	Not in release
	16.04 LTS xenial	Not in release
	14.04 LTS trusty	Not in release
linux-oem	17.10 artful	Not in release
	17.04 zesty	Not in release
	16.04 LTS xenial	Fixed 4.13.0-1010.11
	14.04 LTS trusty	Not in release
linux-qcm-msm	17.10 artful	Not in release
	17.04 zesty	Not in release
	16.04 LTS xenial	Not in release
	14.04 LTS trusty	Not in release
linux-raspi2	17.10 artful	Fixed 4.13.0-1008.8
	17.04 zesty	Fixed 4.10.0-1023.26
	16.04 LTS xenial	Fixed 4.4.0-1079.87
	14.04 LTS trusty	Not in release
linux-snapdragon	17.10 artful	Fixed 4.4.0-1081.86
	17.04 zesty	Fixed 4.4.0-1081.86
	16.04 LTS xenial	Fixed 4.4.0-1081.86
	14.04 LTS trusty	Not in release
linux-ti-omap4	17.10 artful	Not in release
	17.04 zesty	Not in release
	16.04 LTS xenial	Not in release
	14.04 LTS trusty	Not in release

Notes

smb

Added introducing commit as suggested by RH. We backported that into Trusty and later but not into Precise.

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
linux	Introduced by 8310d48, fixed by a8f9736

Severity score breakdown

Parameter	Value
Base score	7.0 · High
Attack vector	Local
Attack complexity	High
Privileges required	Low
User interaction	None
Scope	Unchanged
Confidentiality	High
Integrity impact	High
Availability impact	High
Vector	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

References

Related Ubuntu Security Notices (USN)

USN-3510-1
Linux kernel vulnerabilities
8 December 2017

USN-3510-2
Linux kernel (Trusty HWE) vulnerabilities
8 December 2017

USN-3511-1
Linux kernel (Azure) vulnerabilities
8 December 2017

USN-3507-1
Linux kernel vulnerabilities
7 December 2017

USN-3508-2
Linux kernel (HWE) vulnerabilities
7 December 2017

USN-3507-2
Linux kernel (GCP) vulnerabilities
8 December 2017

USN-3509-1
Linux kernel vulnerabilities
7 December 2017

USN-3509-2
Linux kernel (Xenial HWE) vulnerabilities
7 December 2017

USN-3508-1
Linux kernel vulnerabilities
7 December 2017