I am trying to understand this dirty CoW proof of concept: https://github.com/dirtycow/dirtycow...ter/dirtyc0w.c.

What happens when a child thread (procselfmemThread in the link above) writes to memory that is mapped as MAP_PRIVATE and PROT_READ by the parent? Specifically, does the kernel modify the existing mapping to be anonymous and writeable? And when does copy-on-write take place? Let's assume that the other child thread (madviseThread in the link above) is not running.

To answer your question precisely, answer in two parts 1. memory map a read only file since you already mapped a file with PROT_READ and MAP_PRIVATE , this will create the VMA (virtual memory area)for your file. VMA is nothing but a metadata structure to mange your process region like text, data and mmap regions. VMA will have start and end address, these start and end address basically your process virtual addresses for memory mapped region which is file backed and a red only region (since PROT_READ).

2. writing to /proc/self/mem
   /proc/self/mem is a special file which allow to access to process virtual address space , since in the mentioned program by u, it seeks the file descriptor to the memory mapped region (MAP_PRIVATE). it is basically writing to memory mapped region of earlier mapped file, since it was a read only mapping upon being written it create a copy of page and copy on write take place. Notr: here /proc/self/mem file being written not the memory mapped region of file.