# COW fixed in 4.1.35 longterm,but there is no ebuild [SOLVED]

## Duncan Mac Leod

https://bugs.gentoo.org/show_bug.cgi?id=598076

4.1.35 is available for more than 24 hours now, but there is no ebuild for gentoo-sources.

Please help!Last edited by Duncan Mac Leod on Fri Oct 28, 2016 3:42 pm; edited 1 time in total

----------

## Zucca

Interesting.

I thought it was already fixed in .34.

```
Author: Linus Torvalds <torvalds@linux-foundation.org>

Date:   Thu Oct 13 13:07:36 2016 -0700

    mm: remove gup_flags FOLL_WRITE games from __get_user_pages()

    

    [ Upstream commit 19be0eaffa3ac7d8eb6784ad9bdbc7d67ed8e619 ]

    

    This is an ancient bug that was actually attempted to be fixed once

    (badly) by me eleven years ago in commit 4ceb5db9757a ("Fix

    get_user_pages() race for write access") but that was then undone due to

    problems on s390 by commit f33ea7f404e5 ("fix get_user_pages bug").

    

    In the meantime, the s390 situation has long been fixed, and we can now

    fix it by checking the pte_dirty() bit properly (and do it better).  The

    s390 dirty bit was implemented in abf09bed3cce ("s390/mm: implement

    software dirty bits") which made it into v3.9.  Earlier kernels will

    have to look at the page state itself.
```

... that confirms it.

And by looking changelogs of latest 4.4 (which is also LTS) it isn't been patched there either.

I use 4.7.10 (non-LTS) now which should have the patch, but I didn't saw markings in changelog... Maybe it's fixed in gentoo-sources...

----------

## Zucca

I think yours is patched against it with genpatch since you're using gentoo-sources.

You can test it. Here's how.

----------

## szatox

I checked the POC on my system running kernel x86_64-4.4.6-gentoo and it failed.

I'm not sure whether it's gentoo patch or simply pretty strict permissions (like 400 or something) set by gentoo on mem that stopped the exploit though  :Rolling Eyes: 

Either way... It failed. I guess it's good*  :Laughing: 

* Not that I was very worried with myself escalating permissions from user to root. Su provides the same functionality already 

----------

## Hu

v4.1.34 was released Oct 9, which puts it 4 days before Linus fixed the problem in tip.  v4.7.9 provides the fix for the 4.7.x line.  v4.4.6 is far too old to have it from upstream, but it is possible that a 4.4.6-rX could bring in the fix through the Gentoo extra patches.

Even on single user machines, this vulnerability is somewhat dangerous, since it allows any code-execution bug in any program on the machine to become a root-code-execution bug.  Given the security record of certain software, in particular web browsers, I would be worried about running a browser on a system with an unpatched kernel.

----------

## Apheus

Why care about 4.4.6? 4.4.26 fixes it in the 4.4 line: https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.26

----------

## Zucca

 *Hu wrote:*   

> Given the security record of certain software, in particular web browsers, I would be worried about running a browser on a system with an unpatched kernel.

 A web browser that has a Flash plug-in.

What could possibly go wrong?

----------

## Duncan Mac Leod

 *Hu wrote:*   

> v4.1.34 was released Oct 9, which puts it 4 days before Linus fixed the problem in tip.  v4.7.9 provides the fix for the 4.7.x line.  v4.4.6 is far too old to have it from upstream, but it is possible that a 4.4.6-rX could bring in the fix through the Gentoo extra patches.
> 
> Even on single user machines, this vulnerability is somewhat dangerous, since it allows any code-execution bug in any program on the machine to become a root-code-execution bug.  Given the security record of certain software, in particular web browsers, I would be worried about running a browser on a system with an unpatched kernel.

 

Is there any reason why security fixes are released so slow by Gentoo (short on developer resources?)?

4.1.x is a lonterm kernel, the fix (4.1.35) was released 4 days ago on kernel.org, but there is still no ebuild.

Another example: bind-9.10.4_p3 for x86 is still not marked stable and Gentoo security recommends to update to this version.

----------

## Hu

 *Zucca wrote:*   

>  *Hu wrote:*   Given the security record of certain software, in particular web browsers, I would be worried about running a browser on a system with an unpatched kernel. A web browser that has a Flash plug-in.
> 
> What could possibly go wrong?

 Indeed, Flash is a popular vector for gaining local code execution.  Given some of the crazy things that are possible with modern Javascript, I would be worried even on Flash-free systems.

 *Duncan Mac Leod wrote:*   

> Is there any reason why security fixes are released so slow by Gentoo (short on developer resources?)?
> 
> 4.1.x is a lonterm kernel, the fix (4.1.35) was released 4 days ago on kernel.org, but there is still no ebuild.
> 
> Another example: bind-9.10.4_p3 for x86 is still not marked stable and Gentoo security recommends to update to this version.

 I am sure there is a good reason, but I do not know it.  I have seen comments for quite some time about how the x86 testing resources are much smaller than they once were, causing x86 to lag amd64.  Your questions might be better addressed to one of the mailing lists, since some Gentoo developers do not read the forums.  I know at least one gentoo-sources maintainer has posted in forum threads, but I do not know if he is likely to read this particular thread in order to see your question.

----------

## The Doctor

Unless you are a glutton for punishment sticking with stable kernels seems to be the most sensible option. And, the stable kernels have cleaned up the COW.

As for browser security, I see no good reason not to block javascript and flash by default and enable them only one trusted sites as needed. It is amazing how much of the internet works without them. Even YouTube and Amazon.

----------

## Zucca

This would indicate that all gentoo-sources have the patch that plugs the Dirty Cow's buttocks.

Am I right?

----------

## Duncan Mac Leod

Mike sent me an email today that 4.1.35 (incl. COW fix) is now in portage.

Just successfully compiled gentoo-sources-4.1.35, now up and running  :Very Happy:  !

Thank you Mike!  :Cool: 

----------

