Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Wed, 11 May 2016 20:12:32 -0400
From: "ira.weiny" <ira.weiny@...el.com>
To: Yann Droneaud <ydroneaud@...eya.com>
Cc: oss-security@...ts.openwall.com, Doug Ledford <dledford@...hat.com>,
        Red Hat Security Response Team <secalert@...hat.com>,
        Ben Hutchings <benh@...ian.org>, linux-rdma@...r.kernel.org
Subject: Re: CVE Request: Linux: IB/security: Restrict use of the write() interface'

On Mon, May 09, 2016 at 09:48:59PM +0200, Yann Droneaud wrote:
> Hi,
> 
> 
> As a workaround, I would suggest that systems which do not require
> (userspace) RDMA/Infiniband to blacklist/remove the following modules:
> 
>   rdma_ucm
>   ib_uverbs
>   ib_ucm
>   ib_umad

NOTE: AFAICT ib_umad is not vulnerable as it uses correct write/read semantics.
However, if you are disabling the other modules you probably have no use for
ib_umad either.

Ira

> 
> For example, adds the following in /etc/modprobe.d/blacklist.conf
> 
>   blacklist rdma_ucm
>   blacklist ib_uverbs
>   blacklist ib_ucm
>   blacklist ib_umad
> 
> Those building their own kernel might want to disable, if not already,
> 
>   CONFIG_INFINIBAND_USER_ACCESS, 
>   CONFIG_INFINIBAND_USER_MAD,
>   CONFIG_INFINIBAND_ADDR_TRANS
> 
> (Unfortunately the last one will also disable those features:
>   iSCSI Extensions for RDMA (iSER)
>   iSCSI Extensions for RDMA (iSER) target support
>   RDS over Infiniband and iWARP
>   9P RDMA Transport (Experimental)
>   RPC-over-RDMA transport
>     (which actually disable NFSoRDMA))
> 
> Regards.
> 
> -- 
> Yann Droneaud
> OPTEYA
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
> the body of a message to majordomo@...r.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ