Hi Akemi, The fix allows me to run the cow vulnerability but it blocks which is good. See the following: DirtyCow root privilege escalation Backing up /usr/bin/passwd to /tmp/bak Size of binary: 27832 Racing, this may take a while.. thread stopped thread stopped Based on the following bug report https://bugzilla.redhat.com/show_bug.cgi?id=1384344#c13 , I had compiled a similar module which does the same 1) Download kernel-debuginfo and kernel-debuginfo-common yum install kernel-debuginfo kernel-debuginfo-common --enablerepo=* 2) Create a file mitigation.stp with the following content: probe kernel.function("mem_write").call ? { $count = 0 } probe syscall.ptrace { // includes compat ptrace as well $request = 0xfff } probe begin { printk(0, "CVE-2016-5195 mitigation loaded") } probe end { printk(0, "CVE-2016-5195 mitigation unloaded") } 3) Build the module stap -g -p 4 mitigation.stp 4) module file is placed in the following location /root/.systemtap/cache/f4/stap_f4efcb030069a07d7cacae195d59169a_65631.ko 5) staprun -L stap_f4efcb030069a07d7cacae195d59169a_65631.ko 6) Deploy and run the module on all affected machines. So my question is, what has been exactly patched to the recently upstream kernel. Valentin On 10/25/2016 02:04 AM, Akemi Yagi wrote: > Hi Valentin, > > On Mon, Oct 24, 2016 at 1:13 PM, Valentin B <[log in to unmask]> wrote: >> Hi Pat, >> >> If this patch / fix was applied to kernel 3.10.0-327.36.3.el7.x86_64 >> then it seems to me more of a mitigation / blocker instead. > Which "patch / fix" are you referring to? Could you elaborate? > > I believe the patch applied to the 7.2 kernel is in principle the same > as what appeared in the upstream kernels at kernel.org. The two > patches are not identical due to rather heavy modifications done to > the RHEL kernel. > >> The patch applied to 4.7.9-200.fc24.x86_64 on Fedora 24 seems more of a >> proper fix. The cowroot vulnerability doesn't get the chance to be >> executed at all. >> >> Best regards, >> Valentin > Akemi -- Valentin Bajrami Kapteyn Astronomical Institute University of Groningen Postbus 800 NL-9700 AV Groningen The Netherlands Phone: +31-(0)50-3634068 PGP Fingerprint: 50D7 E233 C2E0 1C81 BB7F F8D8 E51B CF89 A52E 5271