Date: Mon, 09 May 2016 21:48:59 +0200 From: Yann Droneaud <ydroneaud@...eya.com> To: oss-security@...ts.openwall.com Cc: Doug Ledford <dledford@...hat.com>, Red Hat Security Response Team <secalert@...hat.com>, Ben Hutchings <benh@...ian.org>, linux-rdma@...r.kernel.org Subject: Re: CVE Request: Linux: IB/security: Restrict use of the write() interface' Hi, Le samedi 07 mai 2016 à 06:22 +0200, Salvatore Bonaccorso a écrit : > > Jann Horn reported an issue in the infiniband stack. It has been > fixed > in v4.6-rc6 with commit e6bd18f57aad1a2d1ef40e646d03ed0f2515c9e3: > > https://git.kernel.org/linus/e6bd18f57aad1a2d1ef40e646d03ed0f2515c9e3 > > > > > IB/security: Restrict use of the write() interface > > The drivers/infiniband stack uses write() as a replacement for > > bi-directional ioctl(). This is not safe. There are ways to > > trigger write calls that result in the return structure that > > is normally written to user space being shunted off to user > > specified kernel memory instead. > > > > For the immediate repair, detect and deny suspicious accesses to > > the write API. > > > > For long term, update the user space libraries and the kernel API > > to something that doesn't present the same security vulnerabilities > > (likely a structured ioctl() interface). > > > > The impacted uAPI interfaces are generally only available if > > hardware from drivers/infiniband is installed in the system. As a workaround, I would suggest that systems which do not require (userspace) RDMA/Infiniband to blacklist/remove the following modules: rdma_ucm ib_uverbs ib_ucm ib_umad For example, adds the following in /etc/modprobe.d/blacklist.conf blacklist rdma_ucm blacklist ib_uverbs blacklist ib_ucm blacklist ib_umad Those building their own kernel might want to disable, if not already, CONFIG_INFINIBAND_USER_ACCESS, CONFIG_INFINIBAND_USER_MAD, CONFIG_INFINIBAND_ADDR_TRANS (Unfortunately the last one will also disable those features: iSCSI Extensions for RDMA (iSER) iSCSI Extensions for RDMA (iSER) target support RDS over Infiniband and iWARP 9P RDMA Transport (Experimental) RPC-over-RDMA transport (which actually disable NFSoRDMA)) Regards. -- Yann Droneaud OPTEYA
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ