Bug #11885

Critical kernel privesc vulnerability CVE-2016-5195

Added by cypherpunks 2016-10-20 11:41:52 . Updated 2016-11-15 18:23:36 .

Status:
Resolved
Priority:
Urgent
Assignee:
Category:
Target version:
Start date:
2016-10-20
Due date:
% Done:

100%

Feature Branch:
bugfix/11885-linux-4.7
Type of work:
Code
Blueprint:

Starter:
0
Affected tool:
Deliverable for:

Description

Severe vulnerability in Linux’s COW handling allows any process to gain root access, and subsequently kernelmode access. It’s a low-level logic bugs, and no mitigations out there fix the underlying vulnerability. The only fix is to upgrade the kernel and release a new version of Tails.


Subtasks


History

#1 Updated by cypherpunks 2016-10-21 04:54:41

More info: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails

The in-the-wild exploits require ptrace() and/or writable /proc/self/mem access, but the vulnerability itself can likely be triggered from any number of NUMA-related syscalls, most notably mlock(). See numa(7) for some other example calls.

#2 Updated by bertagaz 2016-10-24 10:16:24

  • Status changed from New to Confirmed
  • Target version set to Tails_2.7

We have a release in two weeks, and given the availability and time we have I don’t think we’ll be able to issue an emergency release sadly.

#3 Updated by cypherpunks 2016-10-24 10:32:12

bertagaz wrote:
> We have a release in two weeks, and given the availability and time we have I don’t think we’ll be able to issue an emergency release sadly.

Is there no way to speed up the release? What needs to be done in order to prepare for the 2.7 release?

#4 Updated by intrigeri 2016-10-24 10:45:53

  • Assignee set to bertagaz
  • Type of work changed from Discuss to Code

Assigning to RM who should make sure that this security issue indeed is fixed in 2.7.
I guess it’s probably related to the ticket that’s about upgrading to Linux 4.7.

#5 Updated by bertagaz 2016-10-24 12:56:59

cypherpunks wrote:
> Is there no way to speed up the release? What needs to be done in order to prepare for the 2.7 release?

Even if we speed up, there will be another Firefox ESR release that will have use issue another release in two weeks.

intrigeri wrote:
> Assigning to RM who should make sure that this security issue indeed is fixed in 2.7.
> I guess it’s probably related to the ticket that’s about upgrading to Linux 4.7.

Right, thanks!

#6 Updated by cypherpunks 2016-10-25 11:14:09

Until then, I’m disabling a bunch of unnecessary MM-related calls on my own system that might be able to trigger this exploit. Maybe in the two weeks until the next release, someone else can find it useful: https://bpaste.net/show/335a896fa27e

I don’t trust my skills enough to touch the underlying MM subsystem and patch the underlying vulnerability itself though, but there have got to be other people here who do. Why doesn’t Tails release fixes for this kind of thing through signed emergency livepatch LKMs?

#7 Updated by intrigeri 2016-11-02 08:19:54

Note that in case you’re implicitly relying on bugfix/11786-linux-4.7 to fix this problem, it installs a relatively old backport (linux-image-4.7.0-0.bpo.1-amd64-unsigned 4.7.2-1~bpo8+1), that might be too old to fix the “dirtycow” security issue. I assume that you’re aiming at fixing that security bug in Tails 2.7, so please double-check this. jessie-backports now has 4.7.8-1~bpo8+1. Of course we’d rather not bump the APT snapshot of the ‘debian’ archive, so likely the best way to handle this is to import into our custom APT repo whatever packages are necessary to upgrade to a safe® kernel.

#8 Updated by bertagaz 2016-11-03 20:28:48

  • Status changed from Confirmed to In Progress

Applied in changeset commit:1403cbb4edb7d71bb9cc20338cd7ff8cf5758889.

#9 Updated by bertagaz 2016-11-06 09:02:42

  • Assignee changed from bertagaz to intrigeri
  • % Done changed from 0 to 60
  • QA Check set to Ready for QA
  • Feature Branch set to bugfix/11885-linux-4.7

So this branch had good exposure in Jenkins and seems to work fine. I’ve notes on https://jenkins.tails.boum.org/job/test_Tails_ISO_bugfix-11885-linux-4.7/ reasons of failures, and as you’ll see none are related to this kernel so I think it’s good to be merged.

As explained, I had to merge your Feature #11818 branch that was based on devel, so please double-check that I didn’t mess something in the process.

#10 Updated by intrigeri 2016-11-06 11:28:20

  • Status changed from In Progress to Fix committed
  • Assignee deleted (intrigeri)
  • % Done changed from 60 to 100
  • QA Check changed from Ready for QA to Pass

#11 Updated by intrigeri 2016-11-07 09:55:00

Sorry! For some reason I’ve merged an old (and utterly broken) version of the topic branch, which broke the stable build. I’ve now merged the last version of the topic branch.

#12 Updated by bertagaz 2016-11-15 18:23:36

  • Status changed from Fix committed to Resolved