www.infradead.org Git - users/jedix/linux-maple.git/commit

author	Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
	Mon, 11 Apr 2016 01:13:13 +0000 (19:13 -0600)
committer	Chuck Anderson <chuck.anderson@oracle.com>
	Sun, 22 May 2016 23:00:08 +0000 (16:00 -0700)
commit	cfc1ba8fbc885986144ab5e18f5c6b12fef9bb87
tree	5576b4e35c206dc2b2a112327c207f090b39d986	tree
parent	5dd95f3a123843124bbdb4c44c0ee8c7781da28a	commit \| diff

IB/security: Restrict use of the write() interface

The drivers/infiniband stack uses write() as a replacement for
bi-directional ioctl(). This is not safe. There are ways to
trigger write calls that result in the return structure that
is normally written to user space being shunted off to user
specified kernel memory instead.

For the immediate repair, detect and deny suspicious accesses to
the write API.

For long term, update the user space libraries and the kernel API
to something that doesn't present the same security vulnerabilities
(likely a structured ioctl() interface).

The impacted uAPI interfaces are generally only available if
hardware from drivers/infiniband is installed in the system.

Reported-by: Jann Horn <jann@thejh.net>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
[ Expanded check to all known write() entry points ]
Cc: stable@vger.kernel.org
Signed-off-by: Doug Ledford <dledford@redhat.com>
CVE-2016-4565
Orabug: 23276449

(cherry-pick from e6bd18f57aad1a2d1ef40e646d03ed0f2515c9e3)
Signed-off-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>

drivers/infiniband/core/ucm.c		diff \| blob \| history
drivers/infiniband/core/ucma.c		diff \| blob \| history
drivers/infiniband/core/uverbs_main.c		diff \| blob \| history
drivers/infiniband/hw/qib/qib_file_ops.c		diff \| blob \| history
include/rdma/ib.h		diff \| blob \| history