kernel/IB: IB-CVE-2016-4565dizzy-enea

Unprivileged process can overwrite kernel memory using rdma_ucm.ko References: =========== https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4565 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-4565 Reference to the upstream fix: https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/ commit/?id=5d43a619be6f1960702daafafe87ceab415be6bc Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Tudor Florea <tudor.florea@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2016-06-10 14:29:25 +0200
committer: Tudor Florea <tudor.florea@enea.com> 2016-06-10 15:15:40 +0200
commit: be7da46fb53a1b572ab376128300751832aff851 (patch)
tree: af61578fa06db1e22334400966f9b5192af41f7a
parent: cb7889476c50f4223fc761c08f6953ce7a05e537 (diff)
download: meta-hierofalcon-dizzy-enea.tar.gz
3 files changed, 162 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-hierofalcon/IB-CVE-2016-4565.patch b/recipes-kernel/linux/linux-hierofalcon/IB-CVE-2016-4565.patch
new file mode 100644
index 0000000..0bd6d5c
--- /dev/null
+++ b/recipes-kernel/linux/linux-hierofalcon/IB-CVE-2016-4565.patch
@@ -0,0 +1,160 @@
+From 5d43a619be6f1960702daafafe87ceab415be6bc Mon Sep 17 00:00:00 2001
+From: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
+Date: Sun, 10 Apr 2016 19:13:13 -0600
+Subject: IB/security: Restrict use of the write() interface
+[ Upstream commit e6bd18f57aad1a2d1ef40e646d03ed0f2515c9e3 ]
+The drivers/infiniband stack uses write() as a replacement for
+bi-directional ioctl().  This is not safe. There are ways to
+trigger write calls that result in the return structure that
+is normally written to user space being shunted off to user
+specified kernel memory instead.
+For the immediate repair, detect and deny suspicious accesses to
+the write API.
+For long term, update the user space libraries and the kernel API
+to something that doesn't present the same security vulnerabilities
+(likely a structured ioctl() interface).
+The impacted uAPI interfaces are generally only available if
+hardware from drivers/infiniband is installed in the system.
+CVE: CVE-2016-4565
+Upstream-Status: Backport
+Reported-by: Jann Horn <jann@thejh.net>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
+[ Expanded check to all known write() entry points ]
+Cc: stable@vger.kernel.org
+Signed-off-by: Doug Ledford <dledford@redhat.com>
+Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ drivers/infiniband/core/ucm.c            |  4 ++++
+ drivers/infiniband/core/ucma.c           |  3 +++
+ drivers/infiniband/core/uverbs_main.c    |  5 +++++
+ drivers/infiniband/hw/qib/qib_file_ops.c |  5 +++++
+ include/rdma/ib.h                        | 16 ++++++++++++++++
+ 5 files changed, 33 insertions(+)
+diff --git a/drivers/infiniband/core/ucm.c b/drivers/infiniband/core/ucm.c
+index f2f6393..5befec1 100644
+--- a/drivers/infiniband/core/ucm.c
+++ b/drivers/infiniband/core/ucm.c
+@@ -48,6 +48,7 @@
+ 
+ #include <asm/uaccess.h>
+ 
+#include <rdma/ib.h>
+ #include <rdma/ib_cm.h>
+ #include <rdma/ib_user_cm.h>
+ #include <rdma/ib_marshall.h>
+@@ -1104,6 +1105,9 @@ static ssize_t ib_ucm_write(struct file *filp, const char __user *buf,
+        struct ib_ucm_cmd_hdr hdr;
+        ssize_t result;
+ 
+       if (WARN_ON_ONCE(!ib_safe_file_access(filp)))
+               return -EACCES;
+
+        if (len < sizeof(hdr))
+                return -EINVAL;
+ 
+diff --git a/drivers/infiniband/core/ucma.c b/drivers/infiniband/core/ucma.c
+index 45d67e9..81dd84d 100644
+--- a/drivers/infiniband/core/ucma.c
+++ b/drivers/infiniband/core/ucma.c
+@@ -1487,6 +1487,9 @@ static ssize_t ucma_write(struct file *filp, const char __user *buf,
+        struct rdma_ucm_cmd_hdr hdr;
+        ssize_t ret;
+ 
+       if (WARN_ON_ONCE(!ib_safe_file_access(filp)))
+               return -EACCES;
+
+        if (len < sizeof(hdr))
+                return -EINVAL;
+ 
+diff --git a/drivers/infiniband/core/uverbs_main.c b/drivers/infiniband/core/uverbs_main.c
+index 09686d4..e063b07 100644
+--- a/drivers/infiniband/core/uverbs_main.c
+++ b/drivers/infiniband/core/uverbs_main.c
+@@ -48,6 +48,8 @@
+ 
+ #include <asm/uaccess.h>
+ 
+#include <rdma/ib.h>
+
+ #include "uverbs.h"
+ 
+ MODULE_AUTHOR("Roland Dreier");
+@@ -613,6 +615,9 @@ static ssize_t ib_uverbs_write(struct file *filp, const char __user *buf,
+        struct ib_uverbs_cmd_hdr hdr;
+        __u32 flags;
+ 
+       if (WARN_ON_ONCE(!ib_safe_file_access(filp)))
+               return -EACCES;
+
+        if (count < sizeof hdr)
+                return -EINVAL;
+ 
+diff --git a/drivers/infiniband/hw/qib/qib_file_ops.c b/drivers/infiniband/hw/qib/qib_file_ops.c
+index 7258818..619154e 100644
+--- a/drivers/infiniband/hw/qib/qib_file_ops.c
+++ b/drivers/infiniband/hw/qib/qib_file_ops.c
+@@ -45,6 +45,8 @@
+ #include <linux/export.h>
+ #include <linux/uio.h>
+ 
+#include <rdma/ib.h>
+
+ #include "qib.h"
+ #include "qib_common.h"
+ #include "qib_user_sdma.h"
+@@ -2067,6 +2069,9 @@ static ssize_t qib_write(struct file *fp, const char __user *data,
+        ssize_t ret = 0;
+        void *dest;
+ 
+       if (WARN_ON_ONCE(!ib_safe_file_access(fp)))
+               return -EACCES;
+
+        if (count < sizeof(cmd.type)) {
+                ret = -EINVAL;
+                goto bail;
+diff --git a/include/rdma/ib.h b/include/rdma/ib.h
+index cf8f9e7..a6b9370 100644
+--- a/include/rdma/ib.h
+++ b/include/rdma/ib.h
+@@ -34,6 +34,7 @@
+ #define _RDMA_IB_H
+ 
+ #include <linux/types.h>
+#include <linux/sched.h>
+ 
+ struct ib_addr {
+        union {
+@@ -86,4 +87,19 @@ struct sockaddr_ib {
+        __u64                   sib_scope_id;
+ };
+ 
+/*
+ * The IB interfaces that use write() as bi-directional ioctl() are
+ * fundamentally unsafe, since there are lots of ways to trigger "write()"
+ * calls from various contexts with elevated privileges. That includes the
+ * traditional suid executable error message writes, but also various kernel
+ * interfaces that can write to file descriptors.
+ *
+ * This function provides protection for the legacy API by restricting the
+ * calling context.
+ */
+static inline bool ib_safe_file_access(struct file *filp)
+{
+       return filp->f_cred == current_cred() && segment_eq(get_fs(), USER_DS);
+}
+
+ #endif /* _RDMA_IB_H */
+-- 
+cgit v0.12
diff --git a/recipes-kernel/linux/linux-hierofalcon_3.19.bb b/recipes-kernel/linux/linux-hierofalcon_3.19.bb
index 5c24d8e..7b40313 100644
--- a/recipes-kernel/linux/linux-hierofalcon_3.19.bb
+++ b/recipes-kernel/linux/linux-hierofalcon_3.19.bb
@@ -38,6 +38,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto-3.19;branch="standard/qemuarm6
           file://Btrfs-CVE-2015-8374.patch \
           file://ALSA-CVE-2016-2384.patch \
           file://net-ppp-CVE-2015-8569.patch \
+           file://IB-CVE-2016-4565.patch \
           "
 S = "${WORKDIR}/git"
diff --git a/recipes-kernel/linux/linux-hierofalcon_4.1.bb b/recipes-kernel/linux/linux-hierofalcon_4.1.bb
index 9a0f2d7..a55415c 100644
--- a/recipes-kernel/linux/linux-hierofalcon_4.1.bb
+++ b/recipes-kernel/linux/linux-hierofalcon_4.1.bb
@@ -39,6 +39,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto-4.1;branch="standard/qemuarm64
           file://Btrfs-CVE-2015-8374.patch \
           file://ALSA-CVE-2016-2384.patch \
           file://net-ppp-CVE-2015-8569.patch \
+           file://IB-CVE-2016-4565.patch \
           "
 S = "${WORKDIR}/git"
author	Sona Sarmadi <sona.sarmadi@enea.com>	2016-06-10 14:29:25 +0200
committer	Tudor Florea <tudor.florea@enea.com>	2016-06-10 15:15:40 +0200
commit	be7da46fb53a1b572ab376128300751832aff851 (patch)
tree	af61578fa06db1e22334400966f9b5192af41f7a
parent	cb7889476c50f4223fc761c08f6953ce7a05e537 (diff)
download	meta-hierofalcon-dizzy-enea.tar.gz

diff --git a/recipes-kernel/linux/linux-hierofalcon/IB-CVE-2016-4565.patch b/recipes-kernel/linux/linux-hierofalcon/IB-CVE-2016-4565.patch new file mode 100644 index 0000000..0bd6d5c --- /dev/null +++ b/recipes-kernel/linux/linux-hierofalcon/IB-CVE-2016-4565.patch
@@ -0,0 +1,160 @@
		1	From 5d43a619be6f1960702daafafe87ceab415be6bc Mon Sep 17 00:00:00 2001
		2	From: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
		3	Date: Sun, 10 Apr 2016 19:13:13 -0600
		4	Subject: IB/security: Restrict use of the write() interface
		5
		6	[ Upstream commit e6bd18f57aad1a2d1ef40e646d03ed0f2515c9e3 ]
		7
		8	The drivers/infiniband stack uses write() as a replacement for
		9	bi-directional ioctl(). This is not safe. There are ways to
		10	trigger write calls that result in the return structure that
		11	is normally written to user space being shunted off to user
		12	specified kernel memory instead.
		13
		14	For the immediate repair, detect and deny suspicious accesses to
		15	the write API.
		16
		17	For long term, update the user space libraries and the kernel API
		18	to something that doesn't present the same security vulnerabilities
		19	(likely a structured ioctl() interface).
		20
		21	The impacted uAPI interfaces are generally only available if
		22	hardware from drivers/infiniband is installed in the system.
		23
		24	CVE: CVE-2016-4565
		25	Upstream-Status: Backport
		26
		27	Reported-by: Jann Horn <jann@thejh.net>
		28	Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
		29	Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
		30	[ Expanded check to all known write() entry points ]
		31	Cc: stable@vger.kernel.org
		32	Signed-off-by: Doug Ledford <dledford@redhat.com>
		33
		34	Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
		35	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
		36	---
		37	drivers/infiniband/core/ucm.c \| 4 ++++
		38	drivers/infiniband/core/ucma.c \| 3 +++
		39	drivers/infiniband/core/uverbs_main.c \| 5 +++++
		40	drivers/infiniband/hw/qib/qib_file_ops.c \| 5 +++++
		41	include/rdma/ib.h \| 16 ++++++++++++++++
		42	5 files changed, 33 insertions(+)
		43
		44	diff --git a/drivers/infiniband/core/ucm.c b/drivers/infiniband/core/ucm.c
		45	index f2f6393..5befec1 100644
		46	--- a/drivers/infiniband/core/ucm.c
		47	+++ b/drivers/infiniband/core/ucm.c
		48	@@ -48,6 +48,7 @@
		49
		50	#include <asm/uaccess.h>
		51
		52	+#include <rdma/ib.h>
		53	#include <rdma/ib_cm.h>
		54	#include <rdma/ib_user_cm.h>
		55	#include <rdma/ib_marshall.h>
		56	@@ -1104,6 +1105,9 @@ static ssize_t ib_ucm_write(struct file filp, const char __user buf,
		57	struct ib_ucm_cmd_hdr hdr;
		58	ssize_t result;
		59
		60	+ if (WARN_ON_ONCE(!ib_safe_file_access(filp)))
		61	+ return -EACCES;
		62	+
		63	if (len < sizeof(hdr))
		64	return -EINVAL;
		65
		66	diff --git a/drivers/infiniband/core/ucma.c b/drivers/infiniband/core/ucma.c
		67	index 45d67e9..81dd84d 100644
		68	--- a/drivers/infiniband/core/ucma.c
		69	+++ b/drivers/infiniband/core/ucma.c
		70	@@ -1487,6 +1487,9 @@ static ssize_t ucma_write(struct file filp, const char __user buf,
		71	struct rdma_ucm_cmd_hdr hdr;
		72	ssize_t ret;
		73
		74	+ if (WARN_ON_ONCE(!ib_safe_file_access(filp)))
		75	+ return -EACCES;
		76	+
		77	if (len < sizeof(hdr))
		78	return -EINVAL;
		79
		80	diff --git a/drivers/infiniband/core/uverbs_main.c b/drivers/infiniband/core/uverbs_main.c
		81	index 09686d4..e063b07 100644
		82	--- a/drivers/infiniband/core/uverbs_main.c
		83	+++ b/drivers/infiniband/core/uverbs_main.c
		84	@@ -48,6 +48,8 @@
		85
		86	#include <asm/uaccess.h>
		87
		88	+#include <rdma/ib.h>
		89	+
		90	#include "uverbs.h"
		91
		92	MODULE_AUTHOR("Roland Dreier");
		93	@@ -613,6 +615,9 @@ static ssize_t ib_uverbs_write(struct file filp, const char __user buf,
		94	struct ib_uverbs_cmd_hdr hdr;
		95	__u32 flags;
		96
		97	+ if (WARN_ON_ONCE(!ib_safe_file_access(filp)))
		98	+ return -EACCES;
		99	+
		100	if (count < sizeof hdr)
		101	return -EINVAL;
		102
		103	diff --git a/drivers/infiniband/hw/qib/qib_file_ops.c b/drivers/infiniband/hw/qib/qib_file_ops.c
		104	index 7258818..619154e 100644
		105	--- a/drivers/infiniband/hw/qib/qib_file_ops.c
		106	+++ b/drivers/infiniband/hw/qib/qib_file_ops.c
		107	@@ -45,6 +45,8 @@
		108	#include <linux/export.h>
		109	#include <linux/uio.h>
		110
		111	+#include <rdma/ib.h>
		112	+
		113	#include "qib.h"
		114	#include "qib_common.h"
		115	#include "qib_user_sdma.h"
		116	@@ -2067,6 +2069,9 @@ static ssize_t qib_write(struct file fp, const char __user data,
		117	ssize_t ret = 0;
		118	void *dest;
		119
		120	+ if (WARN_ON_ONCE(!ib_safe_file_access(fp)))
		121	+ return -EACCES;
		122	+
		123	if (count < sizeof(cmd.type)) {
		124	ret = -EINVAL;
		125	goto bail;
		126	diff --git a/include/rdma/ib.h b/include/rdma/ib.h
		127	index cf8f9e7..a6b9370 100644
		128	--- a/include/rdma/ib.h
		129	+++ b/include/rdma/ib.h
		130	@@ -34,6 +34,7 @@
		131	#define _RDMA_IB_H
		132
		133	#include <linux/types.h>
		134	+#include <linux/sched.h>
		135
		136	struct ib_addr {
		137	union {
		138	@@ -86,4 +87,19 @@ struct sockaddr_ib {
		139	__u64 sib_scope_id;
		140	};
		141
		142	+/*
		143	+ * The IB interfaces that use write() as bi-directional ioctl() are
		144	+ * fundamentally unsafe, since there are lots of ways to trigger "write()"
		145	+ * calls from various contexts with elevated privileges. That includes the
		146	+ * traditional suid executable error message writes, but also various kernel
		147	+ * interfaces that can write to file descriptors.
		148	+ *
		149	+ * This function provides protection for the legacy API by restricting the
		150	+ * calling context.
		151	+ */
		152	+static inline bool ib_safe_file_access(struct file *filp)
		153	+{
		154	+ return filp->f_cred == current_cred() && segment_eq(get_fs(), USER_DS);
		155	+}
		156	+
		157	#endif /* _RDMA_IB_H */
		158	--
		159	cgit v0.12
		160


diff --git a/recipes-kernel/linux/linux-hierofalcon_3.19.bb b/recipes-kernel/linux/linux-hierofalcon_3.19.bb index 5c24d8e..7b40313 100644 --- a/recipes-kernel/linux/linux-hierofalcon_3.19.bb +++ b/recipes-kernel/linux/linux-hierofalcon_3.19.bb
@@ -38,6 +38,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto-3.19;branch="standard/qemuarm6
38	file://Btrfs-CVE-2015-8374.patch \	38	file://Btrfs-CVE-2015-8374.patch \
39	file://ALSA-CVE-2016-2384.patch \	39	file://ALSA-CVE-2016-2384.patch \
40	file://net-ppp-CVE-2015-8569.patch \	40	file://net-ppp-CVE-2015-8569.patch \
		41	file://IB-CVE-2016-4565.patch \
41	"	42	"
42		43
43	S = "${WORKDIR}/git"	44	S = "${WORKDIR}/git"


diff --git a/recipes-kernel/linux/linux-hierofalcon_4.1.bb b/recipes-kernel/linux/linux-hierofalcon_4.1.bb index 9a0f2d7..a55415c 100644 --- a/recipes-kernel/linux/linux-hierofalcon_4.1.bb +++ b/recipes-kernel/linux/linux-hierofalcon_4.1.bb
@@ -39,6 +39,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto-4.1;branch="standard/qemuarm64
39	file://Btrfs-CVE-2015-8374.patch \	39	file://Btrfs-CVE-2015-8374.patch \
40	file://ALSA-CVE-2016-2384.patch \	40	file://ALSA-CVE-2016-2384.patch \
41	file://net-ppp-CVE-2015-8569.patch \	41	file://net-ppp-CVE-2015-8569.patch \
		42	file://IB-CVE-2016-4565.patch \
42	"	43	"
43		44
44	S = "${WORKDIR}/git"	45	S = "${WORKDIR}/git"