summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSona Sarmadi <sona.sarmadi@enea.com>2016-06-10 14:29:25 +0200
committerTudor Florea <tudor.florea@enea.com>2016-06-10 15:15:40 +0200
commitbe7da46fb53a1b572ab376128300751832aff851 (patch)
treeaf61578fa06db1e22334400966f9b5192af41f7a
parentcb7889476c50f4223fc761c08f6953ce7a05e537 (diff)
downloadmeta-hierofalcon-be7da46fb53a1b572ab376128300751832aff851.tar.gz
kernel/IB: IB-CVE-2016-4565dizzy-enea
Unprivileged process can overwrite kernel memory using rdma_ucm.ko References: =========== https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4565 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-4565 Reference to the upstream fix: https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/ commit/?id=5d43a619be6f1960702daafafe87ceab415be6bc Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Tudor Florea <tudor.florea@enea.com>
-rw-r--r--recipes-kernel/linux/linux-hierofalcon/IB-CVE-2016-4565.patch160
-rw-r--r--recipes-kernel/linux/linux-hierofalcon_3.19.bb1
-rw-r--r--recipes-kernel/linux/linux-hierofalcon_4.1.bb1
3 files changed, 162 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-hierofalcon/IB-CVE-2016-4565.patch b/recipes-kernel/linux/linux-hierofalcon/IB-CVE-2016-4565.patch
new file mode 100644
index 0000000..0bd6d5c
--- /dev/null
+++ b/recipes-kernel/linux/linux-hierofalcon/IB-CVE-2016-4565.patch
@@ -0,0 +1,160 @@
1From 5d43a619be6f1960702daafafe87ceab415be6bc Mon Sep 17 00:00:00 2001
2From: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
3Date: Sun, 10 Apr 2016 19:13:13 -0600
4Subject: IB/security: Restrict use of the write() interface
5
6[ Upstream commit e6bd18f57aad1a2d1ef40e646d03ed0f2515c9e3 ]
7
8The drivers/infiniband stack uses write() as a replacement for
9bi-directional ioctl(). This is not safe. There are ways to
10trigger write calls that result in the return structure that
11is normally written to user space being shunted off to user
12specified kernel memory instead.
13
14For the immediate repair, detect and deny suspicious accesses to
15the write API.
16
17For long term, update the user space libraries and the kernel API
18to something that doesn't present the same security vulnerabilities
19(likely a structured ioctl() interface).
20
21The impacted uAPI interfaces are generally only available if
22hardware from drivers/infiniband is installed in the system.
23
24CVE: CVE-2016-4565
25Upstream-Status: Backport
26
27Reported-by: Jann Horn <jann@thejh.net>
28Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
29Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
30[ Expanded check to all known write() entry points ]
31Cc: stable@vger.kernel.org
32Signed-off-by: Doug Ledford <dledford@redhat.com>
33
34Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
35Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
36---
37 drivers/infiniband/core/ucm.c | 4 ++++
38 drivers/infiniband/core/ucma.c | 3 +++
39 drivers/infiniband/core/uverbs_main.c | 5 +++++
40 drivers/infiniband/hw/qib/qib_file_ops.c | 5 +++++
41 include/rdma/ib.h | 16 ++++++++++++++++
42 5 files changed, 33 insertions(+)
43
44diff --git a/drivers/infiniband/core/ucm.c b/drivers/infiniband/core/ucm.c
45index f2f6393..5befec1 100644
46--- a/drivers/infiniband/core/ucm.c
47+++ b/drivers/infiniband/core/ucm.c
48@@ -48,6 +48,7 @@
49
50 #include <asm/uaccess.h>
51
52+#include <rdma/ib.h>
53 #include <rdma/ib_cm.h>
54 #include <rdma/ib_user_cm.h>
55 #include <rdma/ib_marshall.h>
56@@ -1104,6 +1105,9 @@ static ssize_t ib_ucm_write(struct file *filp, const char __user *buf,
57 struct ib_ucm_cmd_hdr hdr;
58 ssize_t result;
59
60+ if (WARN_ON_ONCE(!ib_safe_file_access(filp)))
61+ return -EACCES;
62+
63 if (len < sizeof(hdr))
64 return -EINVAL;
65
66diff --git a/drivers/infiniband/core/ucma.c b/drivers/infiniband/core/ucma.c
67index 45d67e9..81dd84d 100644
68--- a/drivers/infiniband/core/ucma.c
69+++ b/drivers/infiniband/core/ucma.c
70@@ -1487,6 +1487,9 @@ static ssize_t ucma_write(struct file *filp, const char __user *buf,
71 struct rdma_ucm_cmd_hdr hdr;
72 ssize_t ret;
73
74+ if (WARN_ON_ONCE(!ib_safe_file_access(filp)))
75+ return -EACCES;
76+
77 if (len < sizeof(hdr))
78 return -EINVAL;
79
80diff --git a/drivers/infiniband/core/uverbs_main.c b/drivers/infiniband/core/uverbs_main.c
81index 09686d4..e063b07 100644
82--- a/drivers/infiniband/core/uverbs_main.c
83+++ b/drivers/infiniband/core/uverbs_main.c
84@@ -48,6 +48,8 @@
85
86 #include <asm/uaccess.h>
87
88+#include <rdma/ib.h>
89+
90 #include "uverbs.h"
91
92 MODULE_AUTHOR("Roland Dreier");
93@@ -613,6 +615,9 @@ static ssize_t ib_uverbs_write(struct file *filp, const char __user *buf,
94 struct ib_uverbs_cmd_hdr hdr;
95 __u32 flags;
96
97+ if (WARN_ON_ONCE(!ib_safe_file_access(filp)))
98+ return -EACCES;
99+
100 if (count < sizeof hdr)
101 return -EINVAL;
102
103diff --git a/drivers/infiniband/hw/qib/qib_file_ops.c b/drivers/infiniband/hw/qib/qib_file_ops.c
104index 7258818..619154e 100644
105--- a/drivers/infiniband/hw/qib/qib_file_ops.c
106+++ b/drivers/infiniband/hw/qib/qib_file_ops.c
107@@ -45,6 +45,8 @@
108 #include <linux/export.h>
109 #include <linux/uio.h>
110
111+#include <rdma/ib.h>
112+
113 #include "qib.h"
114 #include "qib_common.h"
115 #include "qib_user_sdma.h"
116@@ -2067,6 +2069,9 @@ static ssize_t qib_write(struct file *fp, const char __user *data,
117 ssize_t ret = 0;
118 void *dest;
119
120+ if (WARN_ON_ONCE(!ib_safe_file_access(fp)))
121+ return -EACCES;
122+
123 if (count < sizeof(cmd.type)) {
124 ret = -EINVAL;
125 goto bail;
126diff --git a/include/rdma/ib.h b/include/rdma/ib.h
127index cf8f9e7..a6b9370 100644
128--- a/include/rdma/ib.h
129+++ b/include/rdma/ib.h
130@@ -34,6 +34,7 @@
131 #define _RDMA_IB_H
132
133 #include <linux/types.h>
134+#include <linux/sched.h>
135
136 struct ib_addr {
137 union {
138@@ -86,4 +87,19 @@ struct sockaddr_ib {
139 __u64 sib_scope_id;
140 };
141
142+/*
143+ * The IB interfaces that use write() as bi-directional ioctl() are
144+ * fundamentally unsafe, since there are lots of ways to trigger "write()"
145+ * calls from various contexts with elevated privileges. That includes the
146+ * traditional suid executable error message writes, but also various kernel
147+ * interfaces that can write to file descriptors.
148+ *
149+ * This function provides protection for the legacy API by restricting the
150+ * calling context.
151+ */
152+static inline bool ib_safe_file_access(struct file *filp)
153+{
154+ return filp->f_cred == current_cred() && segment_eq(get_fs(), USER_DS);
155+}
156+
157 #endif /* _RDMA_IB_H */
158--
159cgit v0.12
160
diff --git a/recipes-kernel/linux/linux-hierofalcon_3.19.bb b/recipes-kernel/linux/linux-hierofalcon_3.19.bb
index 5c24d8e..7b40313 100644
--- a/recipes-kernel/linux/linux-hierofalcon_3.19.bb
+++ b/recipes-kernel/linux/linux-hierofalcon_3.19.bb
@@ -38,6 +38,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto-3.19;branch="standard/qemuarm6
38 file://Btrfs-CVE-2015-8374.patch \ 38 file://Btrfs-CVE-2015-8374.patch \
39 file://ALSA-CVE-2016-2384.patch \ 39 file://ALSA-CVE-2016-2384.patch \
40 file://net-ppp-CVE-2015-8569.patch \ 40 file://net-ppp-CVE-2015-8569.patch \
41 file://IB-CVE-2016-4565.patch \
41 " 42 "
42 43
43S = "${WORKDIR}/git" 44S = "${WORKDIR}/git"
diff --git a/recipes-kernel/linux/linux-hierofalcon_4.1.bb b/recipes-kernel/linux/linux-hierofalcon_4.1.bb
index 9a0f2d7..a55415c 100644
--- a/recipes-kernel/linux/linux-hierofalcon_4.1.bb
+++ b/recipes-kernel/linux/linux-hierofalcon_4.1.bb
@@ -39,6 +39,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto-4.1;branch="standard/qemuarm64
39 file://Btrfs-CVE-2015-8374.patch \ 39 file://Btrfs-CVE-2015-8374.patch \
40 file://ALSA-CVE-2016-2384.patch \ 40 file://ALSA-CVE-2016-2384.patch \
41 file://net-ppp-CVE-2015-8569.patch \ 41 file://net-ppp-CVE-2015-8569.patch \
42 file://IB-CVE-2016-4565.patch \
42 " 43 "
43 44
44S = "${WORKDIR}/git" 45S = "${WORKDIR}/git"