From: Yann Droneaud <ydroneaud-RlY5vtjFyJ3QT0dZR+AlfA@public.gmane.org>
To: Jann Horn <jann-XZ1E9jl8jIdeoWH0uzbU5w@public.gmane.org>,
Jason Gunthorpe
<jgunthorpe-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>,
Doug Ledford <dledford-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
Cc: linux-rdma-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Subject: Re: [oss-security] CVE Request: Linux: IB/security: Restrict use of the write() interface'
Date: Sat, 07 May 2016 20:19:46 +0200 [thread overview]
Message-ID: <1462645186.4268.27.camel@opteya.com> (raw)
In-Reply-To: <20160507042232.GA5286-yvBWh1Eg28aNj9Bq2fkWzw@public.gmane.org>
Hi,
Le samedi 07 mai 2016 à 06:22 +0200, Salvatore Bonaccorso a écrit :
>
> Jann Horn reported an issue in the infiniband stack. It has been
> fixed
> in v4.6-rc6 with commit e6bd18f57aad1a2d1ef40e646d03ed0f2515c9e3:
>
> https://git.kernel.org/linus/e6bd18f57aad1a2d1ef40e646d03ed0f2515c9e3
>
> >
> > IB/security: Restrict use of the write() interface
> > The drivers/infiniband stack uses write() as a replacement for
> > bi-directional ioctl(). This is not safe. There are ways to
> > trigger write calls that result in the return structure that
> > is normally written to user space being shunted off to user
> > specified kernel memory instead.
> >
That's an interesting issue.
I thought access_ok() done as part of copy_to_user() would protect from
such unwelcomed behavior. But it's not if the kernel invoke write()
handler outside of a user process.
Anyway, as I don't see yet how to reproduce the issue, is there a PoC
available, I would be interested by a mean to trigger such write().
Regards.
--
Yann Droneaud
OPTEYA
--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next parent reply other threads:[~2016-05-07 18:19 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20160507042232.GA5286@eldamar.local>
[not found] ` <20160507042232.GA5286-yvBWh1Eg28aNj9Bq2fkWzw@public.gmane.org>
2016-05-07 18:19 ` Yann Droneaud [this message]
[not found] ` <1462645186.4268.27.camel-RlY5vtjFyJ3QT0dZR+AlfA@public.gmane.org>
2016-05-08 8:00 ` [oss-security] CVE Request: Linux: IB/security: Restrict use of the write() interface' Christoph Hellwig
2016-05-09 18:02 ` Jann Horn
[not found] ` <20160509180208.GB6372-J1fxOzX/cBvk1uMJSBkQmQ@public.gmane.org>
2016-05-09 19:10 ` Yann Droneaud
[not found] ` <1462821041.4268.43.camel-RlY5vtjFyJ3QT0dZR+AlfA@public.gmane.org>
2016-05-09 19:39 ` Jann Horn
2016-05-09 19:48 ` Yann Droneaud
[not found] ` <1462823339.4268.54.camel-RlY5vtjFyJ3QT0dZR+AlfA@public.gmane.org>
2016-05-12 0:12 ` ira.weiny
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1462645186.4268.27.camel@opteya.com \
--to=ydroneaud-rly5vtjfyj3qt0dzr+alfa@public.gmane.org \
--cc=dledford-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=jann-XZ1E9jl8jIdeoWH0uzbU5w@public.gmane.org \
--cc=jgunthorpe-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org \
--cc=linux-rdma-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox