linux/drivers/infiniband/core
Jason Gunthorpe e6bd18f57a IB/security: Restrict use of the write() interface
The drivers/infiniband stack uses write() as a replacement for
bi-directional ioctl().  This is not safe. There are ways to
trigger write calls that result in the return structure that
is normally written to user space being shunted off to user
specified kernel memory instead.

For the immediate repair, detect and deny suspicious accesses to
the write API.

For long term, update the user space libraries and the kernel API
to something that doesn't present the same security vulnerabilities
(likely a structured ioctl() interface).

The impacted uAPI interfaces are generally only available if
hardware from drivers/infiniband is installed in the system.

Reported-by: Jann Horn <jann@thejh.net>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
[ Expanded check to all known write() entry points ]
Cc: stable@vger.kernel.org
Signed-off-by: Doug Ledford <dledford@redhat.com>
2016-04-28 12:03:16 -04:00
..
addr.c IB/core: Use hop-limit from IP stack for RoCE 2016-01-19 15:26:56 -05:00
agent.c IB: split struct ib_send_wr 2015-10-08 11:09:10 +01:00
agent.h IB/mad: Add final OPA MAD processing 2015-06-12 14:49:18 -04:00
cache.c IB/core: Fix oops in ib_cache_gid_set_default_gid 2016-04-22 20:26:44 -04:00
cm_msgs.h IB/core: Fix unaligned accesses 2015-05-05 13:21:27 -04:00
cm.c IB/core: Use hop-limit from IP stack for RoCE 2016-01-19 15:26:56 -05:00
cma_configfs.c configfs: switch ->default groups to a linked list 2016-03-06 16:11:24 +01:00
cma.c Merge branches 'mlx4', 'mlx5' and 'ocrdma' into k.o/for-4.6 2016-03-16 13:38:28 -04:00
core_priv.h IB/cma: Add configfs for rdma_cm 2015-12-23 10:39:52 -05:00
cq.c IB: add a proper completion queue abstraction 2015-12-11 14:10:43 -08:00
device.c IB/core: Add subnet prefix to port info 2016-03-21 16:34:06 -04:00
fmr_pool.c IB/core: trivial prink cleanup. 2016-03-03 10:20:25 -05:00
iwcm.c iwcm: common code for port mapper 2016-03-16 13:47:52 -04:00
iwcm.h
iwpm_msg.c iwpm: crash fix for large connections test 2016-03-16 13:48:32 -04:00
iwpm_util.c iwpm: crash fix for large connections test 2016-03-16 13:48:32 -04:00
iwpm_util.h iwpm: crash fix for large connections test 2016-03-16 13:48:32 -04:00
mad_priv.h IB/mad: use CQ abstraction 2016-01-19 15:25:45 -05:00
mad_rmpp.c IB/mad: Add final OPA MAD processing 2015-06-12 14:49:18 -04:00
mad_rmpp.h RDMA: Remove subversion $Id tags 2008-07-14 23:48:44 -07:00
mad.c IB/mad: use CQ abstraction 2016-01-19 15:25:45 -05:00
Makefile IB/cma: Add configfs for rdma_cm 2015-12-23 10:39:52 -05:00
multicast.c IB/cma: Join and leave multicast groups with IGMP 2015-12-23 10:39:53 -05:00
netlink.c IB/core: Add rdma netlink helper functions 2015-08-30 18:12:25 -04:00
opa_smi.h IB: Add rdma_cap_ib_switch helper and use where appropriate 2015-07-14 13:20:08 -04:00
packer.c IB/core: trivial prink cleanup. 2016-03-03 10:20:25 -05:00
roce_gid_mgmt.c IB/core: Move rdma_is_upper_dev_rcu to header file 2015-12-23 10:35:12 -05:00
sa_query.c Round two of 4.6 merge window patches 2016-03-22 15:48:44 -07:00
sa.h IB: Remove garbage non-ASCII characters from comments 2007-07-09 16:17:32 -07:00
smi.c IB: Add rdma_cap_ib_switch helper and use where appropriate 2015-07-14 13:20:08 -04:00
smi.h IB: Add rdma_cap_ib_switch helper and use where appropriate 2015-07-14 13:20:08 -04:00
sysfs.c IB/core: Fix reading capability mask of the port info class 2016-02-11 11:05:56 -05:00
ucm.c IB/security: Restrict use of the write() interface 2016-04-28 12:03:16 -04:00
ucma.c IB/security: Restrict use of the write() interface 2016-04-28 12:03:16 -04:00
ud_header.c IB/core: trivial prink cleanup. 2016-03-03 10:20:25 -05:00
umem_odp.c mm/gup: Introduce get_user_pages_remote() 2016-02-16 10:04:09 +01:00
umem_rbtree.c IB/core: Implement support for MMU notifiers regarding on demand paging regions 2014-12-15 18:13:36 -08:00
umem.c mm/gup: Switch all callers of get_user_pages() to not pass tsk/mm 2016-02-16 10:11:12 +01:00
user_mad.c IB/mad: pass ib_mad_send_buf explicitly to the recv_handler 2016-01-19 15:25:36 -05:00
uverbs_cmd.c IB/{core, ulp} Support above 32 possible device capability flags 2016-03-21 16:32:59 -04:00
uverbs_main.c IB/security: Restrict use of the write() interface 2016-04-28 12:03:16 -04:00
uverbs_marshall.c IB/core: Add gid_type to gid attribute 2015-12-23 10:35:10 -05:00
uverbs.h IB: remove in-kernel support for memory windows 2015-12-23 14:29:04 -05:00
verbs.c IB/core: Don't drain non-existent rq queue-pair 2016-04-26 12:40:50 -04:00