Back to bug 1310570

Who When What Removed Added
Adam Mariš 2016-02-22 09:23:51 UTC CC security-response-team
Red Hat Bugzilla 2016-02-22 09:23:51 UTC Doc Type --- Bug Fix
Adam Mariš 2016-02-22 09:33:15 UTC Blocks 1310573
Vladis Dronov 2016-03-09 18:14:36 UTC Whiteboard impact=moderate,public=no,reported=20160219,source=researcher,cvss2=3.3/AV:L/AC:M/Au:N/C:N/I:P/A:P,rhel-5/kernel=new,rhel-6/kernel=new,rhel-7/kernel=new,rhel-7/kernel-rt=new,mrg-2/realtime-kernel=new,rhelsa-7/arm-kernel=new,fedora-all/kernel=affected impact=moderate,public=no,reported=20160219,source=researcher,cvss2=6.9/AV:L/AC:M/Au:N/C:C/I:C/A:C,rhel-5/kernel=new,rhel-6/kernel=new,rhel-7/kernel=new,rhel-7/kernel-rt=new,mrg-2/realtime-kernel=new,rhelsa-7/arm-kernel=new,fedora-all/kernel=affected
Vladis Dronov 2016-03-09 18:14:44 UTC Whiteboard impact=moderate,public=no,reported=20160219,source=researcher,cvss2=6.9/AV:L/AC:M/Au:N/C:C/I:C/A:C,rhel-5/kernel=new,rhel-6/kernel=new,rhel-7/kernel=new,rhel-7/kernel-rt=new,mrg-2/realtime-kernel=new,rhelsa-7/arm-kernel=new,fedora-all/kernel=affected impact=important,public=no,reported=20160219,source=researcher,cvss2=6.9/AV:L/AC:M/Au:N/C:C/I:C/A:C,rhel-5/kernel=new,rhel-6/kernel=new,rhel-7/kernel=new,rhel-7/kernel-rt=new,mrg-2/realtime-kernel=new,rhelsa-7/arm-kernel=new,fedora-all/kernel=affected
Vladis Dronov 2016-03-09 18:14:54 UTC Severity medium high
Vladis Dronov 2016-03-09 18:15:02 UTC Priority medium high
Vladis Dronov 2016-03-09 18:15:55 UTC Priority high urgent
CC vdronov
Severity high urgent
Vladis Dronov 2016-03-09 18:57:10 UTC Summary EMBARGOED kernel: infiniband: Unprivileged process can overwrite kernel memory EMBARGOED kernel: infiniband: Unprivileged process can overwrite kernel memory using rdma_ucm.ko
Petr Matousek 2016-03-10 09:17:17 UTC Priority urgent high
CC pmatouse
Severity urgent high
Vladis Dronov 2016-03-10 18:36:54 UTC Whiteboard impact=important,public=no,reported=20160219,source=researcher,cvss2=6.9/AV:L/AC:M/Au:N/C:C/I:C/A:C,rhel-5/kernel=new,rhel-6/kernel=new,rhel-7/kernel=new,rhel-7/kernel-rt=new,mrg-2/realtime-kernel=new,rhelsa-7/arm-kernel=new,fedora-all/kernel=affected impact=important,public=no,reported=20160219,source=researcher,cvss2=6.9/AV:L/AC:M/Au:N/C:C/I:C/A:C,rhel-5/kernel=notaffected,rhel-6/kernel=affected,rhel-7/kernel=affected,rhel-7/kernel-rt=affected,mrg-2/realtime-kernel=affected,rhelsa-7/arm-kernel=affected,fedora-all/kernel=affected
Vladis Dronov 2016-03-10 18:59:17 UTC Whiteboard impact=important,public=no,reported=20160219,source=researcher,cvss2=6.9/AV:L/AC:M/Au:N/C:C/I:C/A:C,rhel-5/kernel=notaffected,rhel-6/kernel=affected,rhel-7/kernel=affected,rhel-7/kernel-rt=affected,mrg-2/realtime-kernel=affected,rhelsa-7/arm-kernel=affected,fedora-all/kernel=affected impact=important,public=no,reported=20160219,source=researcher,cvss2=6.9/AV:L/AC:M/Au:N/C:C/I:C/A:C,cwe=CWE-119,rhel-5/kernel=notaffected,rhel-6/kernel=affected,rhel-7/kernel=affected,rhel-7/kernel-rt=affected,mrg-2/realtime-kernel=affected,rhelsa-7/arm-kernel=affected,fedora-all/kernel=affected
Vladis Dronov 2016-03-10 19:08:20 UTC Depends On 1316685
Adam Mariš 2016-03-11 14:47:54 UTC Summary EMBARGOED kernel: infiniband: Unprivileged process can overwrite kernel memory using rdma_ucm.ko EMBARGOED CVE-2016-2189 kernel: infiniband: Unprivileged process can overwrite kernel memory using rdma_ucm.ko
Alias CVE-2016-2189
Vladis Dronov 2016-03-11 14:52:27 UTC Comment 5 is private 1 0
Wade Mealing 2016-04-28 01:55:03 UTC CC wmealing
Vladis Dronov 2016-05-03 13:00:45 UTC Depends On 1332547
Vladis Dronov 2016-05-03 13:00:58 UTC Depends On 1332548
Vladis Dronov 2016-05-03 13:12:19 UTC Depends On 1332553
Vladis Dronov 2016-05-03 13:16:41 UTC Depends On 1332558
Vladis Dronov 2016-05-03 13:16:50 UTC Depends On 1332559
Vladis Dronov 2016-05-03 13:16:59 UTC Depends On 1332560
Vladis Dronov 2016-05-03 13:22:29 UTC Depends On 1332564
Petr Matousek 2016-05-03 13:36:42 UTC CC dledford
Petr Matousek 2016-05-17 11:41:26 UTC Whiteboard impact=important,public=no,reported=20160219,source=researcher,cvss2=6.9/AV:L/AC:M/Au:N/C:C/I:C/A:C,cwe=CWE-119,rhel-5/kernel=notaffected,rhel-6/kernel=affected,rhel-7/kernel=affected,rhel-7/kernel-rt=affected,mrg-2/realtime-kernel=affected,rhelsa-7/arm-kernel=affected,fedora-all/kernel=affected impact=important,public=20160507,reported=20160219,source=researcher,cvss2=6.9/AV:L/AC:M/Au:N/C:C/I:C/A:C,cwe=CWE-119,rhel-5/kernel=notaffected,rhel-6/kernel=affected,rhel-7/kernel=affected,rhel-7/kernel-rt=affected,mrg-2/realtime-kernel=affected,rhelsa-7/arm-kernel=affected,fedora-all/kernel=affected
Petr Matousek 2016-05-17 11:49:02 UTC Summary EMBARGOED CVE-2016-2189 kernel: infiniband: Unprivileged process can overwrite kernel memory using rdma_ucm.ko CVE-2016-2189 kernel: infiniband: Unprivileged process can overwrite kernel memory using rdma_ucm.ko
Petr Matousek 2016-05-17 11:49:10 UTC Group security, qe_staff
Petr Matousek 2016-05-17 11:50:24 UTC Blocks 1334220
Petr Matousek 2016-05-17 11:54:23 UTC Alias CVE-2016-4565
Petr Matousek 2016-05-17 12:01:10 UTC Depends On 1336754
Petr Matousek 2016-05-17 12:20:53 UTC Depends On 1334219
Petr Matousek 2016-05-17 15:13:52 UTC Summary CVE-2016-2189 kernel: infiniband: Unprivileged process can overwrite kernel memory using rdma_ucm.ko CVE-2016-4565 kernel: infiniband: Unprivileged process can overwrite kernel memory using rdma_ucm.ko
Peter K 2016-05-17 17:19:04 UTC CC cap
Ben Woodard 2016-05-18 00:12:39 UTC CC tgummels, woodard
Gabe 2016-05-18 00:20:24 UTC CC gcturner
Kent Engström 2016-05-18 07:30:49 UTC CC kent
Andrej Nemec 2016-05-18 07:53:00 UTC CC anemec
Alias CVE-2016-2189
Slawomir Czarko 2016-05-18 08:03:45 UTC CC slawomir
Marc Richter 2016-05-25 13:03:38 UTC CC mrichter
Flags needinfo?
Petr Matousek 2016-05-27 08:57:10 UTC Flags needinfo?
Petr Matousek 2016-05-30 09:41:21 UTC Whiteboard impact=important,public=20160507,reported=20160219,source=researcher,cvss2=6.9/AV:L/AC:M/Au:N/C:C/I:C/A:C,cwe=CWE-119,rhel-5/kernel=notaffected,rhel-6/kernel=affected,rhel-7/kernel=affected,rhel-7/kernel-rt=affected,mrg-2/realtime-kernel=affected,rhelsa-7/arm-kernel=affected,fedora-all/kernel=affected impact=important,public=20160507,reported=20160219,source=researcher,cvss2=6.9/AV:L/AC:M/Au:N/C:C/I:C/A:C,cwe=CWE-119,rhel-5/kernel=notaffected,rhel-6/kernel=affected,rhel-6.2/kernel=affected,rhel-6.4/kernel=affected,rhel-6.5/kernel=affected,rhel-6.6/kernel=affected,rhel-6.7/kernel=affected,rhel-7/kernel=affected,rhel-7.1/kernel=affected,rhel-7/kernel-rt=affected,mrg-2/realtime-kernel=affected,rhelsa-7/arm-kernel=affected,fedora-all/kernel=affected
Petr Matousek 2016-05-30 10:01:26 UTC Whiteboard impact=important,public=20160507,reported=20160219,source=researcher,cvss2=6.9/AV:L/AC:M/Au:N/C:C/I:C/A:C,cwe=CWE-119,rhel-5/kernel=notaffected,rhel-6/kernel=affected,rhel-6.2/kernel=affected,rhel-6.4/kernel=affected,rhel-6.5/kernel=affected,rhel-6.6/kernel=affected,rhel-6.7/kernel=affected,rhel-7/kernel=affected,rhel-7.1/kernel=affected,rhel-7/kernel-rt=affected,mrg-2/realtime-kernel=affected,rhelsa-7/arm-kernel=affected,fedora-all/kernel=affected impact=important,public=20160507,reported=20160219,source=researcher,cvss2=6.9/AV:L/AC:M/Au:N/C:C/I:C/A:C,cwe=CWE-119,rhel-5/kernel=notaffected,rhel-6/kernel=affected,rhel-6.2.z/kernel=affected,rhel-6.4.z/kernel=affected,rhel-6.5.z/kernel=affected,rhel-6.6.z/kernel=affected,rhel-6.7.z/kernel=affected,rhel-7/kernel=affected,rhel-7.1.z/kernel=affected,rhel-7/kernel-rt=affected,mrg-2/realtime-kernel=affected,rhelsa-7/arm-kernel=affected,fedora-all/kernel=affected
Petr Matousek 2016-05-30 10:02:38 UTC Depends On 1340792
Petr Matousek 2016-05-30 10:02:51 UTC Depends On 1340793
Petr Matousek 2016-05-30 10:03:02 UTC Depends On 1340794
Petr Matousek 2016-05-30 10:03:14 UTC Depends On 1340795
Petr Matousek 2016-05-30 10:03:27 UTC Depends On 1340796
Petr Matousek 2016-05-30 10:03:39 UTC Depends On 1340797
Vladis Dronov 2016-06-21 15:22:09 UTC Doc Text It was found that drivers in the Infiniband stack use write() as a replacement for bi-directional ioctl(), which is not safe. There are ways to trigger write calls that result in the return structure that is normally written to user space being shunted off to user specified kernel memory instead. A local unprivileged user on a system with rdma_ucm module loaded could use this flaw to probably escalate their privileges.
Vladis Dronov 2016-06-22 13:42:25 UTC Doc Text It was found that drivers in the Infiniband stack use write() as a replacement for bi-directional ioctl(), which is not safe. There are ways to trigger write calls that result in the return structure that is normally written to user space being shunted off to user specified kernel memory instead. A local unprivileged user on a system with rdma_ucm module loaded could use this flaw to probably escalate their privileges. A flaw was found in the way certain interfaces of the Linux kernel's Infiniband subsystem used write() as bi-directional ioctl() replacement, which could lead to insufficient memory security checks when being invoked using the the splice() system call. A local unprivileged user on a system with either Infiniband hardware present or RDMA Userspace Connection Manager Access module explicitly loaded, could use this flaw to escalate their privileges on the system.
Vladis Dronov 2016-08-16 10:02:16 UTC Whiteboard impact=important,public=20160507,reported=20160219,source=researcher,cvss2=6.9/AV:L/AC:M/Au:N/C:C/I:C/A:C,cwe=CWE-119,rhel-5/kernel=notaffected,rhel-6/kernel=affected,rhel-6.2.z/kernel=affected,rhel-6.4.z/kernel=affected,rhel-6.5.z/kernel=affected,rhel-6.6.z/kernel=affected,rhel-6.7.z/kernel=affected,rhel-7/kernel=affected,rhel-7.1.z/kernel=affected,rhel-7/kernel-rt=affected,mrg-2/realtime-kernel=affected,rhelsa-7/arm-kernel=affected,fedora-all/kernel=affected impact=important,public=20160507,reported=20160219,source=researcher,cvss2=6.9/AV:L/AC:M/Au:N/C:C/I:C/A:C,cvss3=7.8/CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H,cwe=CWE-119,rhel-5/kernel=notaffected,rhel-6/kernel=affected,rhel-6.2.z/kernel=affected,rhel-6.4.z/kernel=affected,rhel-6.5.z/kernel=affected,rhel-6.6.z/kernel=affected,rhel-6.7.z/kernel=affected,rhel-7/kernel=affected,rhel-7.1.z/kernel=affected,rhel-7/kernel-rt=affected,mrg-2/realtime-kernel=affected,rhelsa-7/arm-kernel=affected,fedora-all/kernel=affected
Tomas Hoger 2016-08-19 09:14:55 UTC Doc Text A flaw was found in the way certain interfaces of the Linux kernel's Infiniband subsystem used write() as bi-directional ioctl() replacement, which could lead to insufficient memory security checks when being invoked using the the splice() system call. A local unprivileged user on a system with either Infiniband hardware present or RDMA Userspace Connection Manager Access module explicitly loaded, could use this flaw to escalate their privileges on the system. A flaw was found in the way certain interfaces of the Linux kernel's Infiniband subsystem used write() as bi-directional ioctl() replacement, which could lead to insufficient memory security checks when being invoked using the splice() system call. A local unprivileged user on a system with either Infiniband hardware present or RDMA Userspace Connection Manager Access module explicitly loaded, could use this flaw to escalate their privileges on the system.
Petr Matousek 2016-09-26 03:40:54 UTC Status NEW CLOSED
Resolution --- ERRATA
Last Closed 2016-09-25 23:40:54 UTC
Product Security DevOps Team 2019-09-29 13:44:17 UTC Whiteboard impact=important,public=20160507,reported=20160219,source=researcher,cvss2=6.9/AV:L/AC:M/Au:N/C:C/I:C/A:C,cvss3=7.8/CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H,cwe=CWE-119,rhel-5/kernel=notaffected,rhel-6/kernel=affected,rhel-6.2.z/kernel=affected,rhel-6.4.z/kernel=affected,rhel-6.5.z/kernel=affected,rhel-6.6.z/kernel=affected,rhel-6.7.z/kernel=affected,rhel-7/kernel=affected,rhel-7.1.z/kernel=affected,rhel-7/kernel-rt=affected,mrg-2/realtime-kernel=affected,rhelsa-7/arm-kernel=affected,fedora-all/kernel=affected

Back to bug 1310570