LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   Writing to MAP_PRIVATE mmaped file (https://www.linuxquestions.org/questions/linux-newbie-8/writing-to-map_private-mmaped-file-4175592655/)

rhw 11-01-2016 10:08 AM
Writing to MAP_PRIVATE mmaped file
 
I am trying to understand this dirty CoW proof of concept: https://github.com/dirtycow/dirtycow...ter/dirtyc0w.c.

What happens when a child thread (procselfmemThread in the link above) writes to memory that is mapped as MAP_PRIVATE and PROT_READ by the parent? Specifically, does the kernel modify the existing mapping to be anonymous and writeable? And when does copy-on-write take place? Let's assume that the other child thread (madviseThread in the link above) is not running.

jpollard 11-01-2016 08:36 PM
The problem is a race condition between the memory segment listed in /proc/self/mem and the time a privileged program memory mapped The shared memory is writable at first as it is owned by the user. the memory is marked COW... and new memory allocated for the privileged executable (different user)... Unfortunately, between the memory marked owned/read/write by the user AND the new memory is marked it is possible for the /proc/self/mem to be opened -- on the privileged memory instead of the users memory (this is why both threads try 100,000,000 times before giving up). Once opened it can then be modified.


All times are GMT -5. The time now is 04:54 AM.