From: Greg KH <greg-U8xfFu+wG4EAvxtiuMwx3w@public.gmane.org>
To: Doug Ledford <dledford-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
Cc: stable-u79uwXL29TY76Z2rM5mHXA@public.gmane.org,
linux-rdma-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
Subject: Re: [PATCH] IB/security: Restrict use of the write() interface
Date: Wed, 18 May 2016 10:20:12 -0700 [thread overview]
Message-ID: <20160518172012.GA6879@kroah.com> (raw)
In-Reply-To: <02bf2ebafbc5d757c0d250d8e5fba3ebdc7393fd.1463590718.git.dledford-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
On Wed, May 18, 2016 at 12:58:38PM -0400, Doug Ledford wrote:
> From: Jason Gunthorpe <jgunthorpe-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
>
> The drivers/infiniband stack uses write() as a replacement for
> bi-directional ioctl(). This is not safe. There are ways to
> trigger write calls that result in the return structure that
> is normally written to user space being shunted off to user
> specified kernel memory instead.
>
> For the immediate repair, detect and deny suspicious accesses to
> the write API.
>
> For long term, update the user space libraries and the kernel API
> to something that doesn't present the same security vulnerabilities
> (likely a structured ioctl() interface).
>
> The impacted uAPI interfaces are generally only available if
> hardware from drivers/infiniband is installed in the system.
>
> Reported-by: Jann Horn <jann-XZ1E9jl8jIdeoWH0uzbU5w@public.gmane.org>
> Signed-off-by: Linus Torvalds <torvalds-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>
> Signed-off-by: Jason Gunthorpe <jgunthorpe-ePGOBjL8dl3ta4EC/59zMFaTQe2KTcn/@public.gmane.org>
> [ Expanded check to all known write() entry points ]
> Cc: stable-u79uwXL29TY76Z2rM5mHXA@public.gmane.org # 3.14.x
> Signed-off-by: Doug Ledford <dledford-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
> [ Expanded to include removed ipath driver, and dropped non-existent
> hfi1 driver ]
> ---
> drivers/infiniband/core/ucm.c | 4 ++++
> drivers/infiniband/core/ucma.c | 3 +++
> drivers/infiniband/core/uverbs_main.c | 5 +++++
> drivers/infiniband/hw/ipath/ipath_file_ops.c | 5 +++++
> drivers/infiniband/hw/qib/qib_file_ops.c | 5 +++++
> include/rdma/ib.h | 16 ++++++++++++++++
> 6 files changed, 38 insertions(+)
I don't understand, is this only for 3.14.x? If so, what is the git
commit id in Linus's tree for this?
thanks,
greg k-h
--
To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
the body of a message to majordomo-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2016-05-18 17:20 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-05-18 16:58 [PATCH] IB/security: Restrict use of the write() interface Doug Ledford
[not found] ` <02bf2ebafbc5d757c0d250d8e5fba3ebdc7393fd.1463590718.git.dledford-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2016-05-18 17:20 ` Greg KH [this message]
2016-05-18 17:57 ` Doug Ledford
2016-05-18 18:59 ` Or Gerlitz
2016-05-18 19:05 ` Doug Ledford
2016-05-18 19:47 ` Or Gerlitz
2016-05-18 19:59 ` Doug Ledford
2016-05-18 20:36 ` Or Gerlitz
2016-05-18 21:42 ` Doug Ledford
-- strict thread matches above, loose matches on Subject: below --
2016-05-18 16:46 [PATCH] IB/security: restrict " Doug Ledford
2016-05-18 20:40 ` Kamal Mostafa
2016-05-21 5:32 ` Greg KH
2016-05-18 16:41 Doug Ledford
2016-05-18 20:42 ` Kamal Mostafa
2016-05-18 21:40 ` Doug Ledford
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160518172012.GA6879@kroah.com \
--to=greg-u8xffu+wg4eavxtiumwx3w@public.gmane.org \
--cc=dledford-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=linux-rdma-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=stable-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox