Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm-4.9 / e6bd18f57aad1a2d1ef40e646d03ed0f2515c9e3
commite6bd18f57aad1a2d1ef40e646d03ed0f2515c9e3[log] [tgz]
authorJason Gunthorpe <jgunthorpe@obsidianresearch.com>Sun Apr 10 19:13:13 2016 -0600
committerDoug Ledford <dledford@redhat.com>Thu Apr 28 12:03:16 2016 -0400
tree62a0a5f3cf239387c095c8b99c67d2bcf9448071
parent7723d8c2445c4dfa91f8df42703b56f8ade59af7 [diff]
IB/security: Restrict use of the write() interface

The drivers/infiniband stack uses write() as a replacement for
bi-directional ioctl().  This is not safe. There are ways to
trigger write calls that result in the return structure that
is normally written to user space being shunted off to user
specified kernel memory instead.

For the immediate repair, detect and deny suspicious accesses to
the write API.

For long term, update the user space libraries and the kernel API
to something that doesn't present the same security vulnerabilities
(likely a structured ioctl() interface).

The impacted uAPI interfaces are generally only available if
hardware from drivers/infiniband is installed in the system.

Reported-by: Jann Horn <jann@thejh.net>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
[ Expanded check to all known write() entry points ]
Cc: stable@vger.kernel.org
Signed-off-by: Doug Ledford <dledford@redhat.com>
7 files changed
tree: 62a0a5f3cf239387c095c8b99c67d2bcf9448071
  1. arch/
  2. block/
  3. certs/
  4. crypto/
  5. Documentation/
  6. drivers/
  7. firmware/
  8. fs/
  9. include/
  10. init/
  11. ipc/
  12. kernel/
  13. lib/
  14. mm/
  15. net/
  16. samples/
  17. scripts/
  18. security/
  19. sound/
  20. tools/
  21. usr/
  22. virt/
  23. .get_maintainer.ignore
  24. .gitignore
  25. .mailmap
  26. COPYING
  27. CREDITS
  28. Kbuild
  29. Kconfig
  30. MAINTAINERS
  31. Makefile
  32. README
  33. REPORTING-BUGS