From: Kamal Mostafa <kamal@canonical.com>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org,
kernel-team@lists.ubuntu.com
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
Jason Gunthorpe <jgunthorpe@obsidianresearch.com>,
Doug Ledford <dledford@redhat.com>,
Kamal Mostafa <kamal@canonical.com>
Subject: [PATCH 4.2.y-ckt 29/59] IB/security: Restrict use of the write() interface
Date: Mon, 9 May 2016 12:55:47 -0700 [thread overview]
Message-ID: <1462823777-8384-30-git-send-email-kamal@canonical.com> (raw)
In-Reply-To: <1462823777-8384-1-git-send-email-kamal@canonical.com>
4.2.8-ckt10 -stable review patch. If anyone has any objections, please let me know.
---8<------------------------------------------------------------
From: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
commit e6bd18f57aad1a2d1ef40e646d03ed0f2515c9e3 upstream.
The drivers/infiniband stack uses write() as a replacement for
bi-directional ioctl(). This is not safe. There are ways to
trigger write calls that result in the return structure that
is normally written to user space being shunted off to user
specified kernel memory instead.
For the immediate repair, detect and deny suspicious accesses to
the write API.
For long term, update the user space libraries and the kernel API
to something that doesn't present the same security vulnerabilities
(likely a structured ioctl() interface).
The impacted uAPI interfaces are generally only available if
hardware from drivers/infiniband is installed in the system.
Reported-by: Jann Horn <jann@thejh.net>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
[ Expanded check to all known write() entry points ]
Signed-off-by: Doug Ledford <dledford@redhat.com>
[ kamal: backport to 4.2-stable: no staging/rdma/ ]
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
---
drivers/infiniband/core/ucm.c | 4 ++++
drivers/infiniband/core/ucma.c | 3 +++
drivers/infiniband/core/uverbs_main.c | 5 +++++
drivers/infiniband/hw/qib/qib_file_ops.c | 5 +++++
include/rdma/ib.h | 16 ++++++++++++++++
5 files changed, 33 insertions(+)
diff --git a/drivers/infiniband/core/ucm.c b/drivers/infiniband/core/ucm.c
index 0094810..aca6043 100644
--- a/drivers/infiniband/core/ucm.c
+++ b/drivers/infiniband/core/ucm.c
@@ -48,6 +48,7 @@
#include <asm/uaccess.h>
+#include <rdma/ib.h>
#include <rdma/ib_cm.h>
#include <rdma/ib_user_cm.h>
#include <rdma/ib_marshall.h>
@@ -1104,6 +1105,9 @@ static ssize_t ib_ucm_write(struct file *filp, const char __user *buf,
struct ib_ucm_cmd_hdr hdr;
ssize_t result;
+ if (WARN_ON_ONCE(!ib_safe_file_access(filp)))
+ return -EACCES;
+
if (len < sizeof(hdr))
return -EINVAL;
diff --git a/drivers/infiniband/core/ucma.c b/drivers/infiniband/core/ucma.c
index 29b2121..66f1ca8 100644
--- a/drivers/infiniband/core/ucma.c
+++ b/drivers/infiniband/core/ucma.c
@@ -1474,6 +1474,9 @@ static ssize_t ucma_write(struct file *filp, const char __user *buf,
struct rdma_ucm_cmd_hdr hdr;
ssize_t ret;
+ if (WARN_ON_ONCE(!ib_safe_file_access(filp)))
+ return -EACCES;
+
if (len < sizeof(hdr))
return -EINVAL;
diff --git a/drivers/infiniband/core/uverbs_main.c b/drivers/infiniband/core/uverbs_main.c
index 15f4126..77c04a3 100644
--- a/drivers/infiniband/core/uverbs_main.c
+++ b/drivers/infiniband/core/uverbs_main.c
@@ -48,6 +48,8 @@
#include <asm/uaccess.h>
+#include <rdma/ib.h>
+
#include "uverbs.h"
MODULE_AUTHOR("Roland Dreier");
@@ -614,6 +616,9 @@ static ssize_t ib_uverbs_write(struct file *filp, const char __user *buf,
struct ib_uverbs_cmd_hdr hdr;
__u32 flags;
+ if (WARN_ON_ONCE(!ib_safe_file_access(filp)))
+ return -EACCES;
+
if (count < sizeof hdr)
return -EINVAL;
diff --git a/drivers/infiniband/hw/qib/qib_file_ops.c b/drivers/infiniband/hw/qib/qib_file_ops.c
index 7258818..619154e 100644
--- a/drivers/infiniband/hw/qib/qib_file_ops.c
+++ b/drivers/infiniband/hw/qib/qib_file_ops.c
@@ -45,6 +45,8 @@
#include <linux/export.h>
#include <linux/uio.h>
+#include <rdma/ib.h>
+
#include "qib.h"
#include "qib_common.h"
#include "qib_user_sdma.h"
@@ -2067,6 +2069,9 @@ static ssize_t qib_write(struct file *fp, const char __user *data,
ssize_t ret = 0;
void *dest;
+ if (WARN_ON_ONCE(!ib_safe_file_access(fp)))
+ return -EACCES;
+
if (count < sizeof(cmd.type)) {
ret = -EINVAL;
goto bail;
diff --git a/include/rdma/ib.h b/include/rdma/ib.h
index cf8f9e7..a6b9370 100644
--- a/include/rdma/ib.h
+++ b/include/rdma/ib.h
@@ -34,6 +34,7 @@
#define _RDMA_IB_H
#include <linux/types.h>
+#include <linux/sched.h>
struct ib_addr {
union {
@@ -86,4 +87,19 @@ struct sockaddr_ib {
__u64 sib_scope_id;
};
+/*
+ * The IB interfaces that use write() as bi-directional ioctl() are
+ * fundamentally unsafe, since there are lots of ways to trigger "write()"
+ * calls from various contexts with elevated privileges. That includes the
+ * traditional suid executable error message writes, but also various kernel
+ * interfaces that can write to file descriptors.
+ *
+ * This function provides protection for the legacy API by restricting the
+ * calling context.
+ */
+static inline bool ib_safe_file_access(struct file *filp)
+{
+ return filp->f_cred == current_cred() && segment_eq(get_fs(), USER_DS);
+}
+
#endif /* _RDMA_IB_H */
--
2.7.4
next prev parent reply other threads:[~2016-05-09 19:57 UTC|newest]
Thread overview: 60+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-05-09 19:55 [4.2.y-ckt stable] Linux 4.2.8-ckt10 stable review Kamal Mostafa
2016-05-09 19:55 ` [PATCH 4.2.y-ckt 01/59] x86/mm/32: Enable full randomization on i386 and X86_32 Kamal Mostafa
2016-05-09 19:55 ` [PATCH 4.2.y-ckt 02/59] USB: usbip: fix potential out-of-bounds write Kamal Mostafa
2016-05-09 19:55 ` [PATCH 4.2.y-ckt 03/59] ASoC: rt5640: Correct the digital interface data select Kamal Mostafa
2016-05-09 19:55 ` [PATCH 4.2.y-ckt 04/59] ASoC: dapm: Make sure we have a card when displaying component widgets Kamal Mostafa
2016-05-09 19:55 ` [PATCH 4.2.y-ckt 05/59] ath9k: ar5008_hw_cmn_spur_mitigate: add missing mask_m & mask_p initialisation Kamal Mostafa
2016-05-09 19:55 ` [PATCH 4.2.y-ckt 06/59] iio: ak8975: Fix NULL pointer exception on early interrupt Kamal Mostafa
2016-05-09 19:55 ` [PATCH 4.2.y-ckt 07/59] iio: ak8975: fix maybe-uninitialized warning Kamal Mostafa
2016-05-09 19:55 ` [PATCH 4.2.y-ckt 08/59] i2c: cpm: Fix build break due to incompatible pointer types Kamal Mostafa
2016-05-09 19:55 ` [PATCH 4.2.y-ckt 09/59] i2c: exynos5: Fix possible ABBA deadlock by keeping I2C clock prepared Kamal Mostafa
2016-05-09 19:55 ` [PATCH 4.2.y-ckt 10/59] efi: Fix out-of-bounds read in variable_matches() Kamal Mostafa
2016-05-09 19:55 ` [PATCH 4.2.y-ckt 11/59] USB: serial: cp210x: add ID for Link ECU Kamal Mostafa
2016-05-09 19:55 ` [PATCH 4.2.y-ckt 12/59] USB: serial: cp210x: add Straizona Focusers device ids Kamal Mostafa
2016-05-09 19:55 ` [PATCH 4.2.y-ckt 13/59] [media] v4l2-dv-timings.h: fix polarity for 4k formats Kamal Mostafa
2016-05-09 19:55 ` [PATCH 4.2.y-ckt 14/59] ALSA: hda - Add dock support for ThinkPad X260 Kamal Mostafa
2016-05-09 19:55 ` [PATCH 4.2.y-ckt 15/59] workqueue: fix ghost PENDING flag while doing MQ IO Kamal Mostafa
2016-05-09 19:55 ` [PATCH 4.2.y-ckt 16/59] drm/dp/mst: Get validated port ref in drm_dp_update_payload_part1() Kamal Mostafa
2016-05-09 19:55 ` [PATCH 4.2.y-ckt 17/59] drm/virtio: send vblank event after crtc updates Kamal Mostafa
2016-05-09 19:55 ` [PATCH 4.2.y-ckt 18/59] cxl: Keep IRQ mappings on context teardown Kamal Mostafa
2016-05-09 19:55 ` [PATCH 4.2.y-ckt 19/59] drm/i915: Fix system resume if PCI device remained enabled Kamal Mostafa
2016-05-09 19:55 ` [PATCH 4.2.y-ckt 20/59] drm/i915/ddi: Fix eDP VDD handling during booting and suspend/resume Kamal Mostafa
2016-05-09 19:55 ` [PATCH 4.2.y-ckt 21/59] drm/i915: Fix eDP low vswing for Broadwell Kamal Mostafa
2016-05-09 19:55 ` [PATCH 4.2.y-ckt 22/59] drm/i915: Make RPS EI/thresholds multiple of 25 on SNB-BDW Kamal Mostafa
2016-05-09 19:55 ` [PATCH 4.2.y-ckt 23/59] mac80211: fix statistics leak if dev_alloc_name() fails Kamal Mostafa
2016-05-09 19:55 ` [PATCH 4.2.y-ckt 24/59] drm/radeon: fix vertical bars appear on monitor (v2) Kamal Mostafa
2016-05-09 19:55 ` [PATCH 4.2.y-ckt 25/59] ARM: SoCFPGA: Fix secondary CPU startup in thumb2 kernel Kamal Mostafa
2016-05-09 19:55 ` [PATCH 4.2.y-ckt 26/59] x86/irq: Fix a race in x86_vector_free_irqs() Kamal Mostafa
2016-05-09 19:55 ` [PATCH 4.2.y-ckt 27/59] x86/apic: Handle zero vector gracefully in clear_vector_irq() Kamal Mostafa
2016-05-09 19:55 ` [PATCH 4.2.y-ckt 28/59] ARM: cpuidle: Pass on arm_cpuidle_suspend()'s return value Kamal Mostafa
2016-05-09 19:55 ` Kamal Mostafa [this message]
2016-05-09 19:55 ` [PATCH 4.2.y-ckt 30/59] mm/huge_memory: replace VM_NO_THP VM_BUG_ON with actual VMA check Kamal Mostafa
2016-05-09 19:55 ` [PATCH 4.2.y-ckt 31/59] mm: vmscan: reclaim highmem zone if buffer_heads is over limit Kamal Mostafa
2016-05-09 19:55 ` [PATCH 4.2.y-ckt 32/59] EDAC: i7core, sb_edac: Don't return NOTIFY_BAD from mce_decoder callback Kamal Mostafa
2016-05-09 19:55 ` [PATCH 4.2.y-ckt 33/59] powerpc: Fix bad inline asm constraint in create_zero_mask() Kamal Mostafa
2016-05-09 19:55 ` [PATCH 4.2.y-ckt 34/59] Minimal fix-up of bad hashing behavior of hash_64() Kamal Mostafa
2016-05-09 19:55 ` [PATCH 4.2.y-ckt 35/59] drm/amdgpu: set metadata pointer to NULL after freeing Kamal Mostafa
2016-05-09 19:55 ` [PATCH 4.2.y-ckt 36/59] tracing: Don't display trigger file for events that can't be enabled Kamal Mostafa
2016-05-09 19:55 ` [PATCH 4.2.y-ckt 37/59] drm/radeon: make sure vertical front porch is at least 1 Kamal Mostafa
2016-05-09 19:55 ` [PATCH 4.2.y-ckt 38/59] drm/amdgpu: " Kamal Mostafa
2016-05-09 19:55 ` [PATCH 4.2.y-ckt 39/59] MAINTAINERS: Remove asterisk from EFI directory names Kamal Mostafa
2016-05-09 19:55 ` [PATCH 4.2.y-ckt 40/59] ACPICA: Dispatcher: Update thread ID for recursive method calls Kamal Mostafa
2016-05-09 19:55 ` [PATCH 4.2.y-ckt 41/59] ARC: Add missing io barriers to io{read,write}{16,32}be() Kamal Mostafa
2016-05-09 19:56 ` [PATCH 4.2.y-ckt 42/59] x86/sysfb_efi: Fix valid BAR address range check Kamal Mostafa
2016-05-09 19:56 ` [PATCH 4.2.y-ckt 43/59] fs/pnode.c: treat zero mnt_group_id-s as unequal Kamal Mostafa
2016-05-09 19:56 ` [PATCH 4.2.y-ckt 44/59] propogate_mnt: Handle the first propogated copy being a slave Kamal Mostafa
2016-05-09 19:56 ` [PATCH 4.2.y-ckt 45/59] writeback: Fix performance regression in wb_over_bg_thresh() Kamal Mostafa
2016-05-09 19:56 ` [PATCH 4.2.y-ckt 46/59] mm, cma: prevent nr_isolated_* counters from going negative Kamal Mostafa
2016-05-09 19:56 ` [PATCH 4.2.y-ckt 47/59] x86/tsc: Read all ratio bits from MSR_PLATFORM_INFO Kamal Mostafa
2016-05-09 19:56 ` [PATCH 4.2.y-ckt 48/59] parisc: fix a bug when syscall number of tracee is __NR_Linux_syscalls Kamal Mostafa
2016-05-09 19:56 ` [PATCH 4.2.y-ckt 49/59] jme: Do not enable NIC WoL functions on S0 Kamal Mostafa
2016-05-09 19:56 ` [PATCH 4.2.y-ckt 50/59] jme: Fix device PM wakeup API usage Kamal Mostafa
2016-05-09 19:56 ` [PATCH 4.2.y-ckt 51/59] net/mlx4_en: fix spurious timestamping callbacks Kamal Mostafa
2016-05-09 19:56 ` [PATCH 4.2.y-ckt 52/59] batman-adv: Reduce refcnt of removed router when updating route Kamal Mostafa
2016-05-09 19:56 ` [PATCH 4.2.y-ckt 53/59] batman-adv: Check skb size before using encapsulated ETH+VLAN header Kamal Mostafa
2016-05-09 19:56 ` [PATCH 4.2.y-ckt 54/59] batman-adv: Fix broadcast/ogm queue limit on a removed interface Kamal Mostafa
2016-05-09 19:56 ` [PATCH 4.2.y-ckt 55/59] mm: update min_free_kbytes from khugepaged after core initialization Kamal Mostafa
2016-05-09 19:56 ` [PATCH 4.2.y-ckt 56/59] ARM: EXYNOS: Properly skip unitialized parent clock in power domain on Kamal Mostafa
2016-05-09 19:56 ` [PATCH 4.2.y-ckt 57/59] net/mlx5e: Fix MLX5E_100BASE_T define Kamal Mostafa
2016-05-09 19:56 ` [PATCH 4.2.y-ckt 58/59] cxgbi: fix uninitialized flowi6 Kamal Mostafa
2016-05-09 19:56 ` [PATCH 4.2.y-ckt 59/59] RDMA/iw_cxgb4: Fix bar2 virt addr calculation for T4 chips Kamal Mostafa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1462823777-8384-30-git-send-email-kamal@canonical.com \
--to=kamal@canonical.com \
--cc=dledford@redhat.com \
--cc=jgunthorpe@obsidianresearch.com \
--cc=kernel-team@lists.ubuntu.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).