public inbox for linux-rdma@vger.kernel.org
 help / color / mirror / Atom feed
From: Yann Droneaud <ydroneaud-RlY5vtjFyJ3QT0dZR+AlfA@public.gmane.org>
To: oss-security-ZwoEplunGu1jrUoiu81ncdBPR1lH4CV8@public.gmane.org
Cc: Doug Ledford <dledford-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
	Red Hat Security Response Team
	<secalert-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
	Ben Hutchings <benh-8fiUuRrzOP0dnm+yROfE0A@public.gmane.org>,
	linux-rdma-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Subject: Re: [oss-security] CVE Request: Linux: IB/security: Restrict use of the write() interface'
Date: Mon, 09 May 2016 21:48:59 +0200	[thread overview]
Message-ID: <1462823339.4268.54.camel@opteya.com> (raw)
In-Reply-To: <20160507042232.GA5286-yvBWh1Eg28aNj9Bq2fkWzw@public.gmane.org>

Hi,

Le samedi 07 mai 2016 à 06:22 +0200, Salvatore Bonaccorso a écrit :
> 
> Jann Horn reported an issue in the infiniband stack. It has been
> fixed
> in v4.6-rc6 with commit e6bd18f57aad1a2d1ef40e646d03ed0f2515c9e3:
> 
> https://git.kernel.org/linus/e6bd18f57aad1a2d1ef40e646d03ed0f2515c9e3
> 
> > 
> > IB/security: Restrict use of the write() interface
> > The drivers/infiniband stack uses write() as a replacement for
> > bi-directional ioctl().  This is not safe. There are ways to
> > trigger write calls that result in the return structure that
> > is normally written to user space being shunted off to user
> > specified kernel memory instead.
> > 
> > For the immediate repair, detect and deny suspicious accesses to
> > the write API.
> > 
> > For long term, update the user space libraries and the kernel API
> > to something that doesn't present the same security vulnerabilities
> > (likely a structured ioctl() interface).
> > 
> > The impacted uAPI interfaces are generally only available if
> > hardware from drivers/infiniband is installed in the system.

As a workaround, I would suggest that systems which do not require
(userspace) RDMA/Infiniband to blacklist/remove the following modules:

  rdma_ucm
  ib_uverbs
  ib_ucm
  ib_umad

For example, adds the following in /etc/modprobe.d/blacklist.conf

  blacklist rdma_ucm
  blacklist ib_uverbs
  blacklist ib_ucm
  blacklist ib_umad

Those building their own kernel might want to disable, if not already,

  CONFIG_INFINIBAND_USER_ACCESS, 
  CONFIG_INFINIBAND_USER_MAD,
  CONFIG_INFINIBAND_ADDR_TRANS

(Unfortunately the last one will also disable those features:
  iSCSI Extensions for RDMA (iSER)
  iSCSI Extensions for RDMA (iSER) target support
  RDS over Infiniband and iWARP
  9P RDMA Transport (Experimental)
  RPC-over-RDMA transport
    (which actually disable NFSoRDMA))

Regards.

-- 
Yann Droneaud
OPTEYA

--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

  parent reply	other threads:[~2016-05-09 19:48 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <20160507042232.GA5286@eldamar.local>
     [not found] ` <20160507042232.GA5286-yvBWh1Eg28aNj9Bq2fkWzw@public.gmane.org>
2016-05-07 18:19   ` [oss-security] CVE Request: Linux: IB/security: Restrict use of the write() interface' Yann Droneaud
     [not found]     ` <1462645186.4268.27.camel-RlY5vtjFyJ3QT0dZR+AlfA@public.gmane.org>
2016-05-08  8:00       ` Christoph Hellwig
2016-05-09 18:02       ` Jann Horn
     [not found]         ` <20160509180208.GB6372-J1fxOzX/cBvk1uMJSBkQmQ@public.gmane.org>
2016-05-09 19:10           ` Yann Droneaud
     [not found]             ` <1462821041.4268.43.camel-RlY5vtjFyJ3QT0dZR+AlfA@public.gmane.org>
2016-05-09 19:39               ` Jann Horn
2016-05-09 19:48   ` Yann Droneaud [this message]
     [not found]     ` <1462823339.4268.54.camel-RlY5vtjFyJ3QT0dZR+AlfA@public.gmane.org>
2016-05-12  0:12       ` ira.weiny

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1462823339.4268.54.camel@opteya.com \
    --to=ydroneaud-rly5vtjfyj3qt0dzr+alfa@public.gmane.org \
    --cc=benh-8fiUuRrzOP0dnm+yROfE0A@public.gmane.org \
    --cc=dledford-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
    --cc=linux-rdma-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
    --cc=oss-security-ZwoEplunGu1jrUoiu81ncdBPR1lH4CV8@public.gmane.org \
    --cc=secalert-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox