git.kernelconcepts.de Git - karo-tx-linux.git/commit

IB/security: Restrict use of the write() interface

commit e6bd18f57aad1a2d1ef40e646d03ed0f2515c9e3 upstream.

The drivers/infiniband stack uses write() as a replacement for
bi-directional ioctl(). This is not safe. There are ways to
trigger write calls that result in the return structure that
is normally written to user space being shunted off to user
specified kernel memory instead.

For the immediate repair, detect and deny suspicious accesses to
the write API.

For long term, update the user space libraries and the kernel API
to something that doesn't present the same security vulnerabilities
(likely a structured ioctl() interface).

The impacted uAPI interfaces are generally only available if
hardware from drivers/infiniband is installed in the system.

Reported-by: Jann Horn <jann@thejh.net>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
[ Expanded check to all known write() entry points ]
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

author	Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
	Mon, 11 Apr 2016 01:13:13 +0000 (19:13 -0600)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Wed, 4 May 2016 21:48:48 +0000 (14:48 -0700)
commit	c92003c18feb8159cbf64bc0afa7b048869fe3c6
tree	d998a803ccf98f180ae6d926d5d819b4622428ee	tree \| snapshot
parent	29ebbba744cf8951202b5f4ea62b4a297f4662c1	commit \| diff

drivers/infiniband/core/ucm.c		diff \| blob \| history
drivers/infiniband/core/ucma.c		diff \| blob \| history
drivers/infiniband/core/uverbs_main.c		diff \| blob \| history
drivers/infiniband/hw/qib/qib_file_ops.c		diff \| blob \| history
drivers/staging/rdma/hfi1/TODO		diff \| blob \| history
drivers/staging/rdma/hfi1/file_ops.c		diff \| blob \| history
include/rdma/ib.h		diff \| blob \| history