git.baikalelectronics.ru Git - kernel.git/commit

author	Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
	Mon, 11 Apr 2016 01:13:13 +0000 (19:13 -0600)
committer	Doug Ledford <dledford@redhat.com>
	Thu, 28 Apr 2016 16:03:16 +0000 (12:03 -0400)
commit	64cafcf96f84c9f82856d951c8e762de44fff918
tree	62a0a5f3cf239387c095c8b99c67d2bcf9448071	tree \| snapshot
parent	dbe32b80768f8ef1e5ed3ec58df1484b311face3	commit \| diff

IB/security: Restrict use of the write() interface

The drivers/infiniband stack uses write() as a replacement for
bi-directional ioctl(). This is not safe. There are ways to
trigger write calls that result in the return structure that
is normally written to user space being shunted off to user
specified kernel memory instead.

For the immediate repair, detect and deny suspicious accesses to
the write API.

For long term, update the user space libraries and the kernel API
to something that doesn't present the same security vulnerabilities
(likely a structured ioctl() interface).

The impacted uAPI interfaces are generally only available if
hardware from drivers/infiniband is installed in the system.

Reported-by: Jann Horn <jann@thejh.net>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
[ Expanded check to all known write() entry points ]
Cc: stable@vger.kernel.org
Signed-off-by: Doug Ledford <dledford@redhat.com>

drivers/infiniband/core/ucm.c		diff \| blob \| history
drivers/infiniband/core/ucma.c		diff \| blob \| history
drivers/infiniband/core/uverbs_main.c		diff \| blob \| history
drivers/infiniband/hw/qib/qib_file_ops.c		diff \| blob \| history
drivers/staging/rdma/hfi1/TODO		diff \| blob \| history
drivers/staging/rdma/hfi1/file_ops.c		diff \| blob \| history
include/rdma/ib.h		diff \| blob \| history