I originally submitted this to the kernel security team, and was told
it was intentional behaviour:
/proc/self/mem can be used to write to read-only segments (note: this
is nothing to do with "dirycow").
As a proof of concept, I show that malicious input to the "dd" program
can cause arbitrary code execution by overwriting the text segment:
dd if=pwn of=/proc/self/mem bs=4194304 seek=1
"pwn" is attatched. It consists of a nop sled, and then x64 TCP
shellcode (port 1337,
http://shell-storm.org/shellcode/files/shellcode-858.php).
On both Debian 8 and Arch linux (x86_64), dd has PIE disabled, and
4194304 is the start address of the text segment.
I believe this affects all versions of dd.
This PoC could potentially be use to escape sandboxes on any system
where "dd" is allowed to be used.
I assume the best way to fix this would be to disallow /proc/self/mem
as