Re: [gentoo-user] Dirty COW, 4.4.8-hardened-r1 how to fix?

Re: [gentoo-user] Dirty COW, 4.4.8-hardened-r1 how to fix?

[Miroslav Rovis]

[-- Attachment #1: Type: text/plain, Size: 1290 bytes --]

On 161021-11:04-0400, Rich Freeman wrote:
> On Fri, Oct 21, 2016 at 10:49 AM, Mick <michaelkintzios@gmail.com> wrote:
> > https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
> 
> Not yet:
> https://bugs.gentoo.org/show_bug.cgi?id=597624
> 

We are talking grsecurity-patched (kind of stable[*]) kernel sources,
the =sys-kernel/hardened-sources-4.4.8-r1 package [**].

I read most of the discussion, and I could easily patch the gup.c and
mm.h in question, but those files need to be patched before application
of the grsecurity patch, and that is a little more complex work.

Has anybody done this, as I have limited time available to practice user
patching (which in its simplest form, I was able to do here:
>=dev-libs/nss-3.24 - Add USE flag to enable SSL key 
https://bugs.gentoo.org/show_bug.cgi?id=587116#c2 ), in case it can be
done with user patching, of course.

Anyone?

Regards!
---
[*] kind of stable, because there are, since about 1 yrs ago, only
testing kernel available for the non-paying users ;-(

[**] I have to use 4.4.8.r1 because recent kernel all crash with libirt
and qemu which I am trying to use:
https://bugs.gentoo.org/show_bug.cgi?id=597554
-- 
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 801 bytes --]

Re: [gentoo-user] Dirty COW, 4.4.8-hardened-r1 how to fix?

[Fernando Rodriguez]

[-- Attachment #1.1: Type: text/plain, Size: 1617 bytes --]

On Tue, Oct 25, 2016 at 07:11:54AM +0200, Miroslav Rovis wrote:
> On 161021-11:04-0400, Rich Freeman wrote:
> > On Fri, Oct 21, 2016 at 10:49 AM, Mick <michaelkintzios@gmail.com> wrote:
> > > https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
> > 
> > Not yet:
> > https://bugs.gentoo.org/show_bug.cgi?id=597624
> > 
> 
> We are talking grsecurity-patched (kind of stable[*]) kernel sources,
> the =sys-kernel/hardened-sources-4.4.8-r1 package [**].
> 
> I read most of the discussion, and I could easily patch the gup.c and
> mm.h in question, but those files need to be patched before application
> of the grsecurity patch, and that is a little more complex work.

Did you tried it?
The patch attached comes straight from the git repo, just run:

# cd /usr/src/linux
# patch -p1 < path/to/patch

It'll likely work.

> 
> Has anybody done this, as I have limited time available to practice user
> patching (which in its simplest form, I was able to do here:
> >=dev-libs/nss-3.24 - Add USE flag to enable SSL key 
> https://bugs.gentoo.org/show_bug.cgi?id=587116#c2 ), in case it can be
> done with user patching, of course.
> 
> Anyone?
> 
> Regards!
> ---
> [*] kind of stable, because there are, since about 1 yrs ago, only
> testing kernel available for the non-paying users ;-(
> 
> [**] I have to use 4.4.8.r1 because recent kernel all crash with libirt
> and qemu which I am trying to use:
> https://bugs.gentoo.org/show_bug.cgi?id=597554
> -- 
> Miroslav Rovis
> Zagreb, Croatia
> http://www.CroatiaFidelis.hr



-- 
Fernando Rodriguez

[-- Attachment #1.2: dirtycow.patch --]
[-- Type: text/x-diff, Size: 3683 bytes --]

commit 1294d355881cc5c3421d24fee512f16974addb6c
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date:   Thu Oct 13 13:07:36 2016 -0700

    mm: remove gup_flags FOLL_WRITE games from __get_user_pages()
    
    commit 19be0eaffa3ac7d8eb6784ad9bdbc7d67ed8e619 upstream.
    
    This is an ancient bug that was actually attempted to be fixed once
    (badly) by me eleven years ago in commit 4ceb5db9757a ("Fix
    get_user_pages() race for write access") but that was then undone due to
    problems on s390 by commit f33ea7f404e5 ("fix get_user_pages bug").
    
    In the meantime, the s390 situation has long been fixed, and we can now
    fix it by checking the pte_dirty() bit properly (and do it better).  The
    s390 dirty bit was implemented in abf09bed3cce ("s390/mm: implement
    software dirty bits") which made it into v3.9.  Earlier kernels will
    have to look at the page state itself.
    
    Also, the VM has become more scalable, and what used a purely
    theoretical race back then has become easier to trigger.
    
    To fix it, we introduce a new internal FOLL_COW flag to mark the "yes,
    we already did a COW" rather than play racy games with FOLL_WRITE that
    is very fundamental, and then use the pte dirty flag to validate that
    the FOLL_COW flag is still valid.
    
    Reported-and-tested-by: Phil "not Paul" Oester <kernel@linuxace.com>
    Acked-by: Hugh Dickins <hughd@google.com>
    Reviewed-by: Michal Hocko <mhocko@suse.com>
    Cc: Andy Lutomirski <luto@kernel.org>
    Cc: Kees Cook <keescook@chromium.org>
    Cc: Oleg Nesterov <oleg@redhat.com>
    Cc: Willy Tarreau <w@1wt.eu>
    Cc: Nick Piggin <npiggin@gmail.com>
    Cc: Greg Thelen <gthelen@google.com>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/include/linux/mm.h b/include/linux/mm.h
index cfebb74..f0ffa01 100644
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -2112,6 +2112,7 @@ static inline struct page *follow_page(struct vm_area_struct *vma,
 #define FOLL_MIGRATION	0x400	/* wait for page to replace migration entry */
 #define FOLL_TRIED	0x800	/* a retry, previous pass started an IO */
 #define FOLL_MLOCK	0x1000	/* lock present pages */
+#define FOLL_COW	0x4000	/* internal GUP flag */
 
 typedef int (*pte_fn_t)(pte_t *pte, pgtable_t token, unsigned long addr,
 			void *data);
diff --git a/mm/gup.c b/mm/gup.c
index deafa2c..4b0b7e7 100644
--- a/mm/gup.c
+++ b/mm/gup.c
@@ -58,6 +58,16 @@ static int follow_pfn_pte(struct vm_area_struct *vma, unsigned long address,
 	return -EEXIST;
 }
 
+/*
+ * FOLL_FORCE can write to even unwritable pte's, but only
+ * after we've gone through a COW cycle and they are dirty.
+ */
+static inline bool can_follow_write_pte(pte_t pte, unsigned int flags)
+{
+	return pte_write(pte) ||
+		((flags & FOLL_FORCE) && (flags & FOLL_COW) && pte_dirty(pte));
+}
+
 static struct page *follow_page_pte(struct vm_area_struct *vma,
 		unsigned long address, pmd_t *pmd, unsigned int flags)
 {
@@ -92,7 +102,7 @@ retry:
 	}
 	if ((flags & FOLL_NUMA) && pte_protnone(pte))
 		goto no_page;
-	if ((flags & FOLL_WRITE) && !pte_write(pte)) {
+	if ((flags & FOLL_WRITE) && !can_follow_write_pte(pte, flags)) {
 		pte_unmap_unlock(ptep, ptl);
 		return NULL;
 	}
@@ -352,7 +362,7 @@ static int faultin_page(struct task_struct *tsk, struct vm_area_struct *vma,
 	 * reCOWed by userspace write).
 	 */
 	if ((ret & VM_FAULT_WRITE) && !(vma->vm_flags & VM_WRITE))
-		*flags &= ~FOLL_WRITE;
+	        *flags |= FOLL_COW;
 	return 0;
 }
 

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: [gentoo-user] Dirty COW, 4.4.8-hardened-r1 how to fix?

[Miroslav Rovis]

[-- Attachment #1: Type: text/plain, Size: 3090 bytes --]

Sorry about noticing your reply only now.

Namely, thinking that people over at hardened ML would tell more about
it, I indirectly initiated a thread over at hardened ML:
https://archives.gentoo.org/gentoo-hardened/message/09bbf3bfe59a938f11ac044e891db77e

Will surely check it! And am CC'ing hardened about this patch at the
hardened ML. Maybe they patch and forward the 4.4.8-r1 to 4.4.8-r2 .
---
Only now looked at the patch.

No, you don't get it. And I'm not CC'ing this to hardened ML.

You can't just run the patch for a vanilla kernel onto a
grsecurity-patched kernel. Look up the hardened-sources, and how they
are patched, and what the mm.h and the gup.c in question (there are a
few of so named files in various directories) look in the
hardened-sources, and how they look in the vanilla-sources...

If I'm not mistaken, and I did check it. No, I'm not mistaken, you just
sent me the Linus's patch.

No, wrong. But thanks for trying to help!

On 161025-13:16-0400, Fernando Rodriguez wrote:
> On Tue, Oct 25, 2016 at 07:11:54AM +0200, Miroslav Rovis wrote:
> > On 161021-11:04-0400, Rich Freeman wrote:
> > > On Fri, Oct 21, 2016 at 10:49 AM, Mick <michaelkintzios@gmail.com> wrote:
> > > > https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
> > > 
> > > Not yet:
> > > https://bugs.gentoo.org/show_bug.cgi?id=597624
> > > 
> > 
> > We are talking grsecurity-patched (kind of stable[*]) kernel sources,
> > the =sys-kernel/hardened-sources-4.4.8-r1 package [**].
> > 
> > I read most of the discussion, and I could easily patch the gup.c and
> > mm.h in question, but those files need to be patched before application
> > of the grsecurity patch, and that is a little more complex work.
> 
> Did you tried it?
> The patch attached comes straight from the git repo, just run:
> 
> # cd /usr/src/linux
> # patch -p1 < path/to/patch
> 
> It'll likely work.
> 
> > 
> > Has anybody done this, as I have limited time available to practice user
> > patching (which in its simplest form, I was able to do here:
> > >=dev-libs/nss-3.24 - Add USE flag to enable SSL key 
> > https://bugs.gentoo.org/show_bug.cgi?id=587116#c2 ), in case it can be
> > done with user patching, of course.
> > 
> > Anyone?
> > 
> > Regards!
> > ---
> > [*] kind of stable, because there are, since about 1 yrs ago, only
> > testing kernel available for the non-paying users ;-(
> > 
> > [**] I have to use 4.4.8.r1 because recent kernel all crash with libirt
> > and qemu which I am trying to use:
> > https://bugs.gentoo.org/show_bug.cgi?id=597554
> > -- 
> > Miroslav Rovis
> > Zagreb, Croatia
> > http://www.CroatiaFidelis.hr
> 
> 
> 
> -- 
> Fernando Rodriguez

> commit 1294d355881cc5c3421d24fee512f16974addb6c
> Author: Linus Torvalds <torvalds@linux-foundation.org>
> Date:   Thu Oct 13 13:07:36 2016 -0700
> 
>     mm: remove gup_flags FOLL_WRITE games from __get_user_pages()
>     
...

Thanks for trying to help! Regards!
-- 
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 801 bytes --]

Re: [gentoo-user] Dirty COW, 4.4.8-hardened-r1 how to fix?

[Fernando Rodriguez]

[-- Attachment #1: Type: text/plain, Size: 3900 bytes --]

On Tue, Oct 25, 2016 at 07:38:01PM +0200, Miroslav Rovis wrote:
> Sorry about noticing your reply only now.
> 
> Namely, thinking that people over at hardened ML would tell more about
> it, I indirectly initiated a thread over at hardened ML:
> https://archives.gentoo.org/gentoo-hardened/message/09bbf3bfe59a938f11ac044e891db77e
> 
> Will surely check it! And am CC'ing hardened about this patch at the
> hardened ML. Maybe they patch and forward the 4.4.8-r1 to 4.4.8-r2 .
> ---
> Only now looked at the patch.
> 
> No, you don't get it. And I'm not CC'ing this to hardened ML.
> 
> You can't just run the patch for a vanilla kernel onto a
> grsecurity-patched kernel. Look up the hardened-sources, and how they
> are patched, and what the mm.h and the gup.c in question (there are a
> few of so named files in various directories) look in the
> hardened-sources, and how they look in the vanilla-sources...

fernan@navi /usr/src/linux-4.4.8-hardened-r1 $ sudo patch -p1 < /home/fernan/dirtycow.patch
patching file include/linux/mm.h
Hunk #1 succeeded at 2131 (offset 19 lines).
patching file mm/gup.c
Hunk #3 succeeded at 357 (offset -5 lines).

It works so I guess you can. Never say you can't do something before
trying cause then you look like an idiot.

And the patch says which are the files in question!

> 
> If I'm not mistaken, and I did check it. No, I'm not mistaken, you just
> sent me the Linus's patch.

Yes you are mistaken, cause if you've tried it you wouldb't be asking
the question. And yes, that is Linus patch.

> 
> No, wrong. But thanks for trying to help!
> 
> On 161025-13:16-0400, Fernando Rodriguez wrote:
> > On Tue, Oct 25, 2016 at 07:11:54AM +0200, Miroslav Rovis wrote:
> > > On 161021-11:04-0400, Rich Freeman wrote:
> > > > On Fri, Oct 21, 2016 at 10:49 AM, Mick <michaelkintzios@gmail.com> wrote:
> > > > > https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
> > > > 
> > > > Not yet:
> > > > https://bugs.gentoo.org/show_bug.cgi?id=597624
> > > > 
> > > 
> > > We are talking grsecurity-patched (kind of stable[*]) kernel sources,
> > > the =sys-kernel/hardened-sources-4.4.8-r1 package [**].
> > > 
> > > I read most of the discussion, and I could easily patch the gup.c and
> > > mm.h in question, but those files need to be patched before application
> > > of the grsecurity patch, and that is a little more complex work.
> > 
> > Did you tried it?
> > The patch attached comes straight from the git repo, just run:
> > 
> > # cd /usr/src/linux
> > # patch -p1 < path/to/patch
> > 
> > It'll likely work.
> > 
> > > 
> > > Has anybody done this, as I have limited time available to practice user
> > > patching (which in its simplest form, I was able to do here:
> > > >=dev-libs/nss-3.24 - Add USE flag to enable SSL key 
> > > https://bugs.gentoo.org/show_bug.cgi?id=587116#c2 ), in case it can be
> > > done with user patching, of course.
> > > 
> > > Anyone?
> > > 
> > > Regards!
> > > ---
> > > [*] kind of stable, because there are, since about 1 yrs ago, only
> > > testing kernel available for the non-paying users ;-(
> > > 
> > > [**] I have to use 4.4.8.r1 because recent kernel all crash with libirt
> > > and qemu which I am trying to use:
> > > https://bugs.gentoo.org/show_bug.cgi?id=597554
> > > -- 
> > > Miroslav Rovis
> > > Zagreb, Croatia
> > > http://www.CroatiaFidelis.hr
> > 
> > 
> > 
> > -- 
> > Fernando Rodriguez
> 
> > commit 1294d355881cc5c3421d24fee512f16974addb6c
> > Author: Linus Torvalds <torvalds@linux-foundation.org>
> > Date:   Thu Oct 13 13:07:36 2016 -0700
> > 
> >     mm: remove gup_flags FOLL_WRITE games from __get_user_pages()
> >     
> ...
> 
> Thanks for trying to help! Regards!
> -- 
> Miroslav Rovis
> Zagreb, Croatia
> http://www.CroatiaFidelis.hr



-- 
Fernando Rodriguez

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

Re: [gentoo-user] Dirty COW, 4.4.8-hardened-r1 how to fix?

[Miroslav Rovis]

[-- Attachment #1: Type: text/plain, Size: 2708 bytes --]

Yes you were absolutely right.

On 161025-14:46-0400, Fernando Rodriguez wrote:
> On Tue, Oct 25, 2016 at 07:38:01PM +0200, Miroslav Rovis wrote:
> > Sorry about noticing your reply only now.
> > 
> > Namely, thinking that people over at hardened ML would tell more about
> > it, I indirectly initiated a thread over at hardened ML:
> > https://archives.gentoo.org/gentoo-hardened/message/09bbf3bfe59a938f11ac044e891db77e
> > 
> > Will surely check it! And am CC'ing hardened about this patch at the
> > hardened ML. Maybe they patch and forward the 4.4.8-r1 to 4.4.8-r2 .
> > ---
> > Only now looked at the patch.
> > 
> > No, you don't get it. And I'm not CC'ing this to hardened ML.
Sorry about that. I was not getting it.
After all if a patch isn't meant to patch something it only fails :-) .

> > 
> > You can't just run the patch for a vanilla kernel onto a
> > grsecurity-patched kernel. Look up the hardened-sources, and how they
> > are patched, and what the mm.h and the gup.c in question (there are a
> > few of so named files in various directories) look in the
> > hardened-sources, and how they look in the vanilla-sources...
> 
> fernan@navi /usr/src/linux-4.4.8-hardened-r1 $ sudo patch -p1 < /home/fernan/dirtycow.patch
> patching file include/linux/mm.h
> Hunk #1 succeeded at 2131 (offset 19 lines).
> patching file mm/gup.c
> Hunk #3 succeeded at 357 (offset -5 lines).
>


It did work here too:

# patch -p1 <  /home/miro/dirtycow.patch 
patching file include/linux/mm.h
Hunk #1 succeeded at 2131 (offset 19 lines).
patching file mm/gup.c
Hunk #3 succeeded at 357 (offset -5 lines).
#

where:

# pwd
/usr/src/linux
# ls -l ../linux
lrwxrwxrwx 1 root root 23 2016-10-23 02:37 ../linux -> linux-4.4.8-hardened-r1
# 
> It works so I guess you can. Never say you can't do something before
> trying cause then you look like an idiot.
> 
> And the patch says which are the files in question!
> 
> > 
> > If I'm not mistaken, and I did check it. No, I'm not mistaken, you just
> > sent me the Linus's patch.
> 
> Yes you are mistaken, cause if you've tried it you wouldb't be asking
> the question. And yes, that is Linus patch.
Right!

...
> > > 
> > > Did you tried it?
> > > The patch attached comes straight from the git repo, just run:
> > > 
> > > # cd /usr/src/linux
> > > # patch -p1 < path/to/patch
> > > 
> > > It'll likely work.
> > >
And it did, as above...

> > 
> > Thanks for trying to help! Regards!
Wrong on my part!

Thanks for teaching me! And to teach an obstinate misunderstanding old
man takes a little nerve.

Regards!
-- 
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 801 bytes --]