Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752590AbbDBKFX (ORCPT ); Thu, 2 Apr 2015 06:05:23 -0400 Received: from ou.quest-ce.net ([195.154.187.82]:37309 "EHLO ou.quest-ce.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751166AbbDBKFR (ORCPT ); Thu, 2 Apr 2015 06:05:17 -0400 Message-ID: <1427969085.17020.5.camel@opteya.com> From: Yann Droneaud To: Shachar Raindel Cc: "oss-security@lists.openwall.com" , " (linux-rdma@vger.kernel.org)" , linux-kernel@vger.kernel.org, "stable@vger.kernel.org" Date: Thu, 02 Apr 2015 12:04:45 +0200 In-Reply-To: References: Organization: OPTEYA Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.12.11 (3.12.11-1.fc21) Mime-Version: 1.0 Content-Transfer-Encoding: 8bit X-SA-Exim-Connect-IP: 37.163.188.219 X-SA-Exim-Mail-From: ydroneaud@opteya.com Subject: Re: CVE-2014-8159 kernel: infiniband: uverbs: unprotected physical memory access X-SA-Exim-Version: 4.2.1 (built Mon, 26 Dec 2011 16:24:06 +0000) X-SA-Exim-Scanned: Yes (on ou.quest-ce.net) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 3031 Lines: 89 Hi, Le mercredi 18 mars 2015 à 17:39 +0000, Shachar Raindel a écrit : > Hi, > > It was found that the Linux kernel's InfiniBand/RDMA subsystem did not > properly sanitize input parameters while registering memory regions > from user space via the (u)verbs API. A local user with access to > a /dev/infiniband/uverbsX device could use this flaw to crash the > system or, potentially, escalate their privileges on the system. > > The issue has been assigned CVE-2014-8159. > > The issue exists in the InfiniBand/RDMA/iWARP drivers since Linux > Kernel version 2.6.13. > > Mellanox OFED 2.4-1.0.4 fixes the issue. Available from: > http://www.mellanox.com/page/products_dyn?product_family=26&mtag=linux_sw_drivers > > RedHat errata: https://access.redhat.com/security/cve/CVE-2014-8159 > Canonical errata: http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-8159.html > Novell (Suse) bug tracking: https://bugzilla.novell.com/show_bug.cgi?id=914742 > > > The following patch fixes the issue: > > --------------- 8< ------------------------------ > > From d4d68430d4a12c569e28b4f4468284ea22111186 Mon Sep 17 00:00:00 2001 > From: Shachar Raindel > Date: Sun, 04 Jan 2015 18:30:32 +0200 > Subject: [PATCH] IB/core: Prevent integer overflow in ib_umem_get address arithmetic > > Properly verify that the resulting page aligned end address is larger > than both the start address and the length of the memory area > requested. > > Both the start and length arguments for ib_umem_get are controlled by > the user. A misbehaving user can provide values which will cause an > integer overflow when calculating the page aligned end address. > > This overflow can cause also miscalculation of the number of pages > mapped, and additional logic issues. > > Signed-off-by: Shachar Raindel > Signed-off-by: Jack Morgenstein > Signed-off-by: Or Gerlitz > --- > > diff --git a/drivers/infiniband/core/umem.c b/drivers/infiniband/core/umem.c > index aec7a6a..8c014b5 100644 > --- a/drivers/infiniband/core/umem.c > +++ b/drivers/infiniband/core/umem.c > @@ -99,6 +99,14 @@ > if (dmasync) > dma_set_attr(DMA_ATTR_WRITE_BARRIER, &attrs); > > + /* > + * If the combination of the addr and size requested for this memory > + * region causes an integer overflow, return error. > + */ > + if ((PAGE_ALIGN(addr + size) <= size) || > + (PAGE_ALIGN(addr + size) <= addr)) > + return ERR_PTR(-EINVAL); > + Can access_ok() be used here ? if (!access_ok(writable ? VERIFY_WRITE : VERIFY_READ, addr, size)) return ERR_PTR(-EINVAL); > if (!can_do_mlock()) > return ERR_PTR(-EPERM); > Regards. -- Yann Droneaud OPTEYA -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/