Date: Wed, 11 May 2016 20:12:32 -0400 From: "ira.weiny" <ira.weiny@...el.com> To: Yann Droneaud <ydroneaud@...eya.com> Cc: oss-security@...ts.openwall.com, Doug Ledford <dledford@...hat.com>, Red Hat Security Response Team <secalert@...hat.com>, Ben Hutchings <benh@...ian.org>, linux-rdma@...r.kernel.org Subject: Re: CVE Request: Linux: IB/security: Restrict use of the write() interface' On Mon, May 09, 2016 at 09:48:59PM +0200, Yann Droneaud wrote: > Hi, > > > As a workaround, I would suggest that systems which do not require > (userspace) RDMA/Infiniband to blacklist/remove the following modules: > > rdma_ucm > ib_uverbs > ib_ucm > ib_umad NOTE: AFAICT ib_umad is not vulnerable as it uses correct write/read semantics. However, if you are disabling the other modules you probably have no use for ib_umad either. Ira > > For example, adds the following in /etc/modprobe.d/blacklist.conf > > blacklist rdma_ucm > blacklist ib_uverbs > blacklist ib_ucm > blacklist ib_umad > > Those building their own kernel might want to disable, if not already, > > CONFIG_INFINIBAND_USER_ACCESS, > CONFIG_INFINIBAND_USER_MAD, > CONFIG_INFINIBAND_ADDR_TRANS > > (Unfortunately the last one will also disable those features: > iSCSI Extensions for RDMA (iSER) > iSCSI Extensions for RDMA (iSER) target support > RDS over Infiniband and iWARP > 9P RDMA Transport (Experimental) > RPC-over-RDMA transport > (which actually disable NFSoRDMA)) > > Regards. > > -- > Yann Droneaud > OPTEYA > > -- > To unsubscribe from this list: send the line "unsubscribe linux-rdma" in > the body of a message to majordomo@...r.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ