Bug 1310570 (CVE-2016-4565)

Summary: CVE-2016-4565 kernel: infiniband: Unprivileged process can overwrite kernel memory using rdma_ucm.ko
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: agordeev, anemec, aquini, bhu, cap, dhoward, dledford, esammons, fhrbata, gcturner, iboverma, jkacur, joelsmith, jross, kent, kernel-mgr, kstutsma, lgoncalv, lwang, matt, mcressma, mguzik, mrichter, nmurray, pholasek, plougher, pmatouse, rvrbovsk, security-response-team, slawomir, tgummels, vdronov, williams, wmealing, woodard
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
A flaw was found in the way certain interfaces of the Linux kernel's Infiniband subsystem used write() as bi-directional ioctl() replacement, which could lead to insufficient memory security checks when being invoked using the splice() system call. A local unprivileged user on a system with either Infiniband hardware present or RDMA Userspace Connection Manager Access module explicitly loaded, could use this flaw to escalate their privileges on the system.
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-09-26 03:40:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1316685, 1332547, 1332548, 1332553, 1332558, 1332559, 1332560, 1332564, 1334219, 1336754, 1340792, 1340793, 1340794, 1340795, 1340796, 1340797    
Bug Blocks: 1310573, 1334220    

Description Adam Mariš 2016-02-22 09:23:51 UTC
It was reported that drivers/infiniband stack uses write() as a replacement for bi-directional ioctl(), which is not safe. There are ways to trigger write calls that result in the return structure that is normally written to user space being shunted off to user specified kernel memory instead.

A local unprivileged user on a system with rdma_ucm module loaded could use this flaw to escalate their privileges.

Upstream patch:

https://git.kernel.org/linus/e6bd18f57aad1a2d1ef40e646d03ed0f2515c9e3

CVE-ID request and assignment:

http://seclists.org/oss-sec/2016/q2/269
http://seclists.org/oss-sec/2016/q2/274

Comment 2 Adam Mariš 2016-02-22 09:44:51 UTC
Acknowledgments:

Name: Jann Horn

Comment 3 Vladis Dronov 2016-03-10 18:42:47 UTC
Statement:

This issue does not affect the Linux kernel packages as shipped with Red Hat Enterprise Linux 5.

This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 6, 7 and Red Hat Enterprise MRG-2. Future Linux kernel updates for the respective releases might address this issue.

Comment 5 Adam Mariš 2016-03-11 14:47:54 UTC
Internal CVE assignment: CVE-2016-2189. This is Red Hat's private CVE ID and it was assigned to this security flaw. Please, use it in the public communications regarding this flaw, thank you.

[later update]
please, disregard ^^^. due to the flaw has gone public, MIRTE has allocated another CVE-2016-4565 (http://seclists.org/oss-sec/2016/q2/274). lets stick to using this.

Comment 12 Petr Matousek 2016-05-17 11:50:24 UTC
*** Bug 1334217 has been marked as a duplicate of this bug. ***

Comment 13 Petr Matousek 2016-05-17 11:54:23 UTC
(In reply to Adam Mariš from comment #5)
> Internal CVE assignment: CVE-2016-2189. This is Red Hat's private CVE ID and
> it was assigned to this security flaw. Please, use it in the public
> communications regarding this flaw, thank you.

CVE assigned a new CVE id to this issue as per http://seclists.org/oss-sec/2016/q2/274 . We're going to request CVE-2016-2189 to be rejected.

Comment 14 Petr Matousek 2016-05-17 12:01:25 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1336754]

Comment 17 Peter K 2016-05-26 07:57:11 UTC
I'm curious, what kind of info is needed?

There is an Important vulnerability and a patch.

It's been, depending on how you measure, a month with no action...

Comment 18 Petr Matousek 2016-05-27 08:57:10 UTC
(In reply to Peter K from comment #17)
> It's been, depending on how you measure, a month with no action...

We are currently planning to include the fixes for this issue in one of the upcoming regular kernel updates for the respective releases. If you need the fix earlier, please contact Red Hat Support (https://www.redhat.com/en/services/support) and request a hotfix and/or kpatch hotfix if eligible.

Comment 23 errata-xmlrpc 2016-06-23 16:23:39 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:1277 https://access.redhat.com/errata/RHSA-2016:1277

Comment 24 errata-xmlrpc 2016-06-23 16:29:45 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:1301 https://access.redhat.com/errata/RHSA-2016:1301

Comment 25 errata-xmlrpc 2016-06-27 10:03:35 UTC
This issue has been addressed in the following products:

  MRG for RHEL-6 v.2

Via RHSA-2016:1341 https://access.redhat.com/errata/RHSA-2016:1341

Comment 27 errata-xmlrpc 2016-07-12 18:34:58 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2016:1406 https://access.redhat.com/errata/RHSA-2016:1406

Comment 28 errata-xmlrpc 2016-07-26 09:58:24 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.7 Extended Update Support

Via RHSA-2016:1489 https://rhn.redhat.com/errata/RHSA-2016-1489.html

Comment 29 errata-xmlrpc 2016-08-09 08:41:19 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.4 Advanced Update Support

Via RHSA-2016:1581 https://rhn.redhat.com/errata/RHSA-2016-1581.html

Comment 30 errata-xmlrpc 2016-08-16 10:32:27 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.2 Advanced Update Support

Via RHSA-2016:1617 https://rhn.redhat.com/errata/RHSA-2016-1617.html

Comment 31 errata-xmlrpc 2016-08-19 10:11:28 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.6 Extended Update Support

Via RHSA-2016:1640 https://rhn.redhat.com/errata/RHSA-2016-1640.html

Comment 32 errata-xmlrpc 2016-08-23 16:11:47 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.1 Extended Update Support

Via RHSA-2016:1657 https://rhn.redhat.com/errata/RHSA-2016-1657.html

Comment 33 errata-xmlrpc 2016-09-06 10:02:48 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.5 Advanced Update Support

Via RHSA-2016:1814 https://rhn.redhat.com/errata/RHSA-2016-1814.html