Introduction: The Persistent Shadow of Dirty COW

In the landscape of Linux kernel vulnerabilities, CVE-2016-5195, famously known as Dirty COW (Copy-On-Write), stands out as a highly significant and impactful flaw. Discovered in 2016, this privilege escalation vulnerability in the Linux kernel’s memory management subsystem allowed an unprivileged local user to gain write access to otherwise read-only memory mappings. While the initial fanfare has subsided, understanding Dirty COW’s mechanism and its role in Android exploitation chains remains crucial for security professionals and enthusiasts. Even years after its patch, its principles illustrate how critical memory vulnerabilities can be leveraged to achieve full system control, particularly in environments like Android where the kernel often underpins the entire security model.

This article delves into the technical specifics of Dirty COW, explaining the underlying vulnerability and demonstrating its application within the context of Android devices. We’ll explore how this local privilege escalation (LPE) could transform limited user access into full root privileges, enabling an attacker to bypass critical security measures and achieve complete system compromise.

Understanding CVE-2016-5195: The Flaw at the Core

Dirty COW exploits a race condition in the Linux kernel’s handling of copy-on-write pages. The vulnerability stems from how the kernel manages private, read-only memory mappings, specifically during a combination of calls involving mmap, MADV_DONTNEED, and a race with write attempts via /proc/self/mem or ptrace.

The copy_user_pages Bug

At its heart, the flaw resided in the copy_user_pages function, which is responsible for copying pages into memory. When a process attempts to write to a read-only, copy-on-write mapped page, the kernel typically creates a private writable copy of that page for the process. This is the