Re: [PATCH rdma-rc] RDMA/nldev: Don't expose unsafe global rkey to regular user

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Wed, Jan 02, 2019 at 08:01:48PM +0000, Jason Gunthorpe wrote:
> On Mon, Dec 24, 2018 at 11:05:16AM +0200, Leon Romanovsky wrote:
> > From: Leon Romanovsky <leonro@xxxxxxxxxxxx>
> >
> > Unsafe global rkey is considered extremely dangerous because it
> > exposes memory registered for all memory in the system. Being
> > unsafe, accompanied by warning in dmesg, the unsafe_global_rkey
> > value should be presented to users with CAP_NET_ADMIN only.
> >
> > Cc: <stable@xxxxxxxxxxxxxxx> # 4.16
> > Fixes: 29cf1351d450 ("RDMA/nldev: provide detailed PD information")
> > Signed-off-by: Leon Romanovsky <leonro@xxxxxxxxxxxx>
> > ---
> > It is targeted for -rc to ensure that it will be included in first pull
> > request to Linus in this merge window.
> > ---
> >  drivers/infiniband/core/nldev.c | 4 ----
> >  1 file changed, 4 deletions(-)
> >
> > diff --git a/drivers/infiniband/core/nldev.c b/drivers/infiniband/core/nldev.c
> > index 573399e3ccc1..ff6468e7fe79 100644
> > --- a/drivers/infiniband/core/nldev.c
> > +++ b/drivers/infiniband/core/nldev.c
> > @@ -580,10 +580,6 @@ static int fill_res_pd_entry(struct sk_buff *msg, struct netlink_callback *cb,
> >  	if (nla_put_u64_64bit(msg, RDMA_NLDEV_ATTR_RES_USECNT,
> >  			      atomic_read(&pd->usecnt), RDMA_NLDEV_ATTR_PAD))
> >  		goto err;
> > -	if ((pd->flags & IB_PD_UNSAFE_GLOBAL_RKEY) &&
> > -	    nla_put_u32(msg, RDMA_NLDEV_ATTR_RES_UNSAFE_GLOBAL_RKEY,
> > -			pd->unsafe_global_rkey))
> > -		goto err;
>
> What is the harm? the rkey is only usable within the PD it is
> enabled on, and all the protos using this scheme go ahead and send it
> to the remote side anyhow..

Upto v2, we didn't require CAP_NET_ADMIN to access LKEY and RKEY
https://patchwork.kernel.org/patch/10217495/
In v3, it was changed
https://patchwork.kernel.org/patch/10244007/
without mentioning such change
https://www.spinics.net/lists/linux-rdma/msg61174.html

So now, we have RDMA_NLDEV_ATTR_RES_UNSAFE_GLOBAL_RKEY exposed twice.
First time with CAP_NET_ADMIN and second without it.

Exposing RDMA_NLDEV_ATTR_RES_UNSAFE_GLOBAL_RKEY through rdmatool helps
to local attacker identify the "weak" application, which can be used
to elevate permissions.

You definitely can say that UNSAFE_GLOBAL_RKEY is used in applications
which don't care too much about security and we shouldn't worry about
them too. I'm fine with it, but took more cautious approach while wrote
this patch.

Thanks

>
> Jason

Attachment: signature.asc
Description: PGP signature

[Index of Archives]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Photo]     [Yosemite News]     [Yosemite Photos]     [Linux Kernel]     [Linux SCSI]     [XFree86]

  Powered by Linux