On Wed, May 18, 2016 at 12:58:38PM -0400, Doug Ledford wrote: > From: Jason Gunthorpe <jgunthorpe@xxxxxxxxxxxxxxxxxxxx> > > The drivers/infiniband stack uses write() as a replacement for > bi-directional ioctl(). This is not safe. There are ways to > trigger write calls that result in the return structure that > is normally written to user space being shunted off to user > specified kernel memory instead. > > For the immediate repair, detect and deny suspicious accesses to > the write API. > > For long term, update the user space libraries and the kernel API > to something that doesn't present the same security vulnerabilities > (likely a structured ioctl() interface). > > The impacted uAPI interfaces are generally only available if > hardware from drivers/infiniband is installed in the system. > > Reported-by: Jann Horn <jann@xxxxxxxxx> > Signed-off-by: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> > Signed-off-by: Jason Gunthorpe <jgunthorpe@xxxxxxxxxxxxxxxxxxxx> > [ Expanded check to all known write() entry points ] > Cc: stable@xxxxxxxxxxxxxxx # 3.14.x > Signed-off-by: Doug Ledford <dledford@xxxxxxxxxx> > [ Expanded to include removed ipath driver, and dropped non-existent > hfi1 driver ] > --- > drivers/infiniband/core/ucm.c | 4 ++++ > drivers/infiniband/core/ucma.c | 3 +++ > drivers/infiniband/core/uverbs_main.c | 5 +++++ > drivers/infiniband/hw/ipath/ipath_file_ops.c | 5 +++++ > drivers/infiniband/hw/qib/qib_file_ops.c | 5 +++++ > include/rdma/ib.h | 16 ++++++++++++++++ > 6 files changed, 38 insertions(+) I don't understand, is this only for 3.14.x? If so, what is the git commit id in Linus's tree for this? thanks, greg k-h -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html