On Thu, Jan 03, 2019 at 08:40:12AM +0200, Leon Romanovsky wrote:
> On Wed, Jan 02, 2019 at 08:01:48PM +0000, Jason Gunthorpe wrote:
> > On Mon, Dec 24, 2018 at 11:05:16AM +0200, Leon Romanovsky wrote:
> > > From: Leon Romanovsky <leonro@xxxxxxxxxxxx>
> > >
> > > Unsafe global rkey is considered extremely dangerous because it
> > > exposes memory registered for all memory in the system. Being
> > > unsafe, accompanied by warning in dmesg, the unsafe_global_rkey
> > > value should be presented to users with CAP_NET_ADMIN only.
> > >
> > > Cc: <stable@xxxxxxxxxxxxxxx> # 4.16
> > > Fixes: 29cf1351d450 ("RDMA/nldev: provide detailed PD information")
> > > Signed-off-by: Leon Romanovsky <leonro@xxxxxxxxxxxx>
> > > ---
> > > It is targeted for -rc to ensure that it will be included in first pull
> > > request to Linus in this merge window.
> > > ---
> > > drivers/infiniband/core/nldev.c | 4 ----
> > > 1 file changed, 4 deletions(-)
> > >
> > > diff --git a/drivers/infiniband/core/nldev.c b/drivers/infiniband/core/nldev.c
> > > index 573399e3ccc1..ff6468e7fe79 100644
> > > --- a/drivers/infiniband/core/nldev.c
> > > +++ b/drivers/infiniband/core/nldev.c
> > > @@ -580,10 +580,6 @@ static int fill_res_pd_entry(struct sk_buff *msg, struct netlink_callback *cb,
> > > if (nla_put_u64_64bit(msg, RDMA_NLDEV_ATTR_RES_USECNT,
> > > atomic_read(&pd->usecnt), RDMA_NLDEV_ATTR_PAD))
> > > goto err;
> > > - if ((pd->flags & IB_PD_UNSAFE_GLOBAL_RKEY) &&
> > > - nla_put_u32(msg, RDMA_NLDEV_ATTR_RES_UNSAFE_GLOBAL_RKEY,
> > > - pd->unsafe_global_rkey))
> > > - goto err;
> >
> > What is the harm? the rkey is only usable within the PD it is
> > enabled on, and all the protos using this scheme go ahead and send it
> > to the remote side anyhow..
>
> Upto v2, we didn't require CAP_NET_ADMIN to access LKEY and RKEY
> https://patchwork.kernel.org/patch/10217495/
> In v3, it was changed
> https://patchwork.kernel.org/patch/10244007/
> without mentioning such change
> https://www.spinics.net/lists/linux-rdma/msg61174.html
>
> So now, we have RDMA_NLDEV_ATTR_RES_UNSAFE_GLOBAL_RKEY exposed twice.
> First time with CAP_NET_ADMIN and second without it.
>
> Exposing RDMA_NLDEV_ATTR_RES_UNSAFE_GLOBAL_RKEY through rdmatool helps
> to local attacker identify the "weak" application, which can be used
> to elevate permissions.
>
> You definitely can say that UNSAFE_GLOBAL_RKEY is used in applications
> which don't care too much about security and we shouldn't worry about
> them too. I'm fine with it, but took more cautious approach while wrote
> this patch.
Jason ???
>
> Thanks
>
> >
> > Jason
Attachment:
signature.asc
Description: PGP signature
