Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752107AbbDBQt3 (ORCPT ); Thu, 2 Apr 2015 12:49:29 -0400 Received: from mail-db3on0099.outbound.protection.outlook.com ([157.55.234.99]:1042 "EHLO emea01-db3-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1752252AbbDBQt0 (ORCPT ); Thu, 2 Apr 2015 12:49:26 -0400 From: Shachar Raindel To: Yann Droneaud CC: "oss-security@lists.openwall.com" , " (linux-rdma@vger.kernel.org)" , "linux-kernel@vger.kernel.org" , "stable@vger.kernel.org" Subject: RE: CVE-2014-8159 kernel: infiniband: uverbs: unprotected physical memory access Thread-Topic: CVE-2014-8159 kernel: infiniband: uverbs: unprotected physical memory access Thread-Index: AQHQbSyEAQwf8AzEREiGaKM63FVWmJ05imaQgABLEQCAAAmVgA== Date: Thu, 2 Apr 2015 16:34:05 +0000 Deferred-Delivery: Thu, 2 Apr 2015 16:34:02 +0000 Message-ID: References: <1427969085.17020.5.camel@opteya.com> <1427987752.22575.65.camel@opteya.com> In-Reply-To: <1427987752.22575.65.camel@opteya.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [193.47.165.251] authentication-results: opteya.com; dkim=none (message not signed) header.d=none; x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:AM2PR05MB0929; x-forefront-antispam-report: BMV:1;SFV:NSPM;SFS:(10009020)(6009001)(51704005)(13464003)(164054003)(377454003)(2656002)(46102003)(122556002)(86362001)(66066001)(87936001)(77156002)(230783001)(76176999)(110136001)(102836002)(62966003)(54356999)(93886004)(2950100001)(92566002)(50986999)(106116001)(19580395003)(19580405001)(33656002)(74316001)(76576001)(2900100001);DIR:OUT;SFP:1101;SCL:1;SRVR:AM2PR05MB0929;H:AM2PR05MB0929.eurprd05.prod.outlook.com;FPR:;SPF:None;MLV:sfv;LANG:en; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:; x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(601004)(5002010)(5005006);SRVR:AM2PR05MB0929;BCL:0;PCL:0;RULEID:;SRVR:AM2PR05MB0929; x-forefront-prvs: 0534947130 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 X-OriginatorOrg: Mellanox.com X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Apr 2015 16:34:28.9350 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: a652971c-7d2e-4d9b-a6a4-d149256f461b X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM2PR05MB0929 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from base64 to 8bit by nfs id t32GnYtl011444 Content-Length: 2223 Lines: 57 Hi, > -----Original Message----- > From: Yann Droneaud [mailto:ydroneaud@opteya.com] > Sent: Thursday, April 02, 2015 6:16 PM > To: Shachar Raindel > Cc: oss-security@lists.openwall.com; > (linux-rdma@vger.kernel.org); linux-kernel@vger.kernel.org; > stable@vger.kernel.org > Subject: Re: CVE-2014-8159 kernel: infiniband: uverbs: unprotected > physical memory access > > Hi, > Le jeudi 02 avril 2015 à 10:52 +0000, Shachar Raindel a écrit : > > > -----Original Message----- > > > From: Yann Droneaud [mailto:ydroneaud@opteya.com] > > > Sent: Thursday, April 02, 2015 1:05 PM > > > Le mercredi 18 mars 2015 à 17:39 +0000, Shachar Raindel a écrit : > ... > > > > + /* > > > > + * If the combination of the addr and size requested for this > > > memory > > > > + * region causes an integer overflow, return error. > > > > + */ > > > > + if ((PAGE_ALIGN(addr + size) <= size) || > > > > + (PAGE_ALIGN(addr + size) <= addr)) > > > > + return ERR_PTR(-EINVAL); > > > > + > > > > > > Can access_ok() be used here ? > > > > > > if (!access_ok(writable ? VERIFY_WRITE : VERIFY_READ, > > > addr, size)) > > > return ERR_PTR(-EINVAL); > > > > > > > No, this will break the current ODP semantics. > > > > ODP allows the user to register memory that is not accessible yet. > > This is a critical design feature, as it allows avoiding holding > > a registration cache. Adding this check will break the behavior, > > forcing memory to be all accessible when registering an ODP MR. > > > > Failed to notice previously, but since this would break ODP, and ODP is > only available starting v3.19-rc1, my proposed fix might be applicable > for older kernel (if not better). > Can you explain how this proposed fix is better than the existing patch? Why do we want to push to the stable tree a patch that is not in the upstream? There is an existing, tested, patch that is going to the tip of the development. It even applies cleanly on every kernel version around. Thanks, --Shachar ????{.n?+???????+%?????ݶ??w??{.n?+????{??G?????{ay?ʇڙ?,j??f???h?????????z_??(?階?ݢj"???m??????G????????????&???~???iO???z??v?^?m???? ????????I?