• Jason Gunthorpe's avatar
    IB/security: Restrict use of the write() interface · 55ac348c
    Jason Gunthorpe authored
    commit e6bd18f5 upstream.
    
    The drivers/infiniband stack uses write() as a replacement for
    bi-directional ioctl().  This is not safe. There are ways to
    trigger write calls that result in the return structure that
    is normally written to user space being shunted off to user
    specified kernel memory instead.
    
    For the immediate repair, detect and deny suspicious accesses to
    the write API.
    
    For long term, update the user space libraries and the kernel API
    to something that doesn't present the same security vulnerabilities
    (likely a structured ioctl() interface).
    
    The impacted uAPI interfaces are generally only available if
    hardware from drivers/infiniband is installed in the system.
    Reported-by: default avatarJann Horn <jann@thejh.net>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    Signed-off-by: default avatarJason Gunthorpe <jgunthorpe@obsidianresearch.com>
    [ Expanded check to all known write() entry points ]
    Cc: stable@vger.kernel.org
    Signed-off-by: default avatarDoug Ledford <dledford@redhat.com>
    [wt: no hfi1 subdir in 3.10. A minimal rdma/ib.h had to be created
     from 3.11 sources to keep the code similar to mainline]
    Signed-off-by: default avatarWilly Tarreau <w@1wt.eu>
    55ac348c
ucma.c 32.2 KB