git.fsl.cs.sunysb.edu Git - wrapfs-5.3.y.git/commit

author	Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
	Mon, 11 Apr 2016 01:13:13 +0000 (19:13 -0600)
committer	Jiri Slaby <jslaby@suse.cz>
	Tue, 31 May 2016 06:42:10 +0000 (08:42 +0200)
commit	0ab923b3982c323bd95e63a9b93dc65d1aebb94f
tree	9c54821802264bba631931d3daa03e2aa903d751	tree \| snapshot
parent	2963542faf2956563c4081080ca090d82a797d48	commit \| diff

IB/security: Restrict use of the write() interface

commit e6bd18f57aad1a2d1ef40e646d03ed0f2515c9e3 upstream.

The drivers/infiniband stack uses write() as a replacement for
bi-directional ioctl(). This is not safe. There are ways to
trigger write calls that result in the return structure that
is normally written to user space being shunted off to user
specified kernel memory instead.

For the immediate repair, detect and deny suspicious accesses to
the write API.

For long term, update the user space libraries and the kernel API
to something that doesn't present the same security vulnerabilities
(likely a structured ioctl() interface).

The impacted uAPI interfaces are generally only available if
hardware from drivers/infiniband is installed in the system.

[js] backport to 3.12: hfi1 is not there yet (exclude), ipath is still
there (include)

Reported-by: Jann Horn <jann@thejh.net>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
[ Expanded check to all known write() entry points ]
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>

drivers/infiniband/core/ucm.c		diff \| blob \| history
drivers/infiniband/core/ucma.c		diff \| blob \| history
drivers/infiniband/core/uverbs_main.c		diff \| blob \| history
drivers/infiniband/hw/ipath/ipath_file_ops.c		diff \| blob \| history
drivers/infiniband/hw/qib/qib_file_ops.c		diff \| blob \| history
include/rdma/ib.h		diff \| blob \| history