Hi Akemi,
The fix allows me to run the cow vulnerability but it blocks which is good.
See the following:
DirtyCow root privilege escalation
Backing up /usr/bin/passwd to /tmp/bak
Size of binary: 27832
Racing, this may take a while..
thread stopped
thread stopped
Based on the following bug report
https://bugzilla.redhat.com/show_bug.cgi?id=1384344#c13
, I had compiled a similar module which does the same
1) Download kernel-debuginfo and kernel-debuginfo-common
yum install kernel-debuginfo kernel-debuginfo-common --enablerepo=*
2) Create a file mitigation.stp with the following content:
probe kernel.function("mem_write").call ? {
$count = 0
}
probe syscall.ptrace { // includes compat ptrace as well
$request = 0xfff
}
probe begin {
printk(0, "CVE-2016-5195 mitigation loaded")
}
probe end {
printk(0, "CVE-2016-5195 mitigation unloaded")
}
3) Build the module
stap -g -p 4 mitigation.stp
4) module file is placed in the following location
/root/.systemtap/cache/f4/stap_f4efcb030069a07d7cacae195d59169a_65631.ko
5)
staprun -L stap_f4efcb030069a07d7cacae195d59169a_65631.ko
6) Deploy and run the module on all affected machines.
So my question is, what has been exactly patched to the recently upstream kernel.
Valentin
On 10/25/2016 02:04 AM, Akemi Yagi wrote:
> Hi Valentin,
>
> On Mon, Oct 24, 2016 at 1:13 PM, Valentin B <[log in to unmask]> wrote:
>> Hi Pat,
>>
>> If this patch / fix was applied to kernel 3.10.0-327.36.3.el7.x86_64
>> then it seems to me more of a mitigation / blocker instead.
> Which "patch / fix" are you referring to? Could you elaborate?
>
> I believe the patch applied to the 7.2 kernel is in principle the same
> as what appeared in the upstream kernels at kernel.org. The two
> patches are not identical due to rather heavy modifications done to
> the RHEL kernel.
>
>> The patch applied to 4.7.9-200.fc24.x86_64 on Fedora 24 seems more of a
>> proper fix. The cowroot vulnerability doesn't get the chance to be
>> executed at all.
>>
>> Best regards,
>> Valentin
> Akemi
--
Valentin Bajrami
Kapteyn Astronomical Institute
University of Groningen
Postbus 800
NL-9700 AV Groningen
The Netherlands
Phone: +31-(0)50-3634068
PGP Fingerprint: 50D7 E233 C2E0 1C81 BB7F F8D8 E51B CF89 A52E 5271