It was reported that drivers/infiniband stack uses write() as a replacement for bi-directional ioctl(), which is not safe. There are ways to trigger write calls that result in the return structure that is normally written to user space being shunted off to user specified kernel memory instead. A local unprivileged user on a system with rdma_ucm module loaded could use this flaw to escalate their privileges. Upstream patch: https://git.kernel.org/linus/e6bd18f57aad1a2d1ef40e646d03ed0f2515c9e3 CVE-ID request and assignment: http://seclists.org/oss-sec/2016/q2/269 http://seclists.org/oss-sec/2016/q2/274
Acknowledgments: Name: Jann Horn
Statement: This issue does not affect the Linux kernel packages as shipped with Red Hat Enterprise Linux 5. This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 6, 7 and Red Hat Enterprise MRG-2. Future Linux kernel updates for the respective releases might address this issue.
Internal CVE assignment: CVE-2016-2189. This is Red Hat's private CVE ID and it was assigned to this security flaw. Please, use it in the public communications regarding this flaw, thank you. [later update] please, disregard ^^^. due to the flaw has gone public, MIRTE has allocated another CVE-2016-4565 (http://seclists.org/oss-sec/2016/q2/274). lets stick to using this.
*** Bug 1334217 has been marked as a duplicate of this bug. ***
(In reply to Adam Mariš from comment #5) > Internal CVE assignment: CVE-2016-2189. This is Red Hat's private CVE ID and > it was assigned to this security flaw. Please, use it in the public > communications regarding this flaw, thank you. CVE assigned a new CVE id to this issue as per http://seclists.org/oss-sec/2016/q2/274 . We're going to request CVE-2016-2189 to be rejected.
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1336754]
I'm curious, what kind of info is needed? There is an Important vulnerability and a patch. It's been, depending on how you measure, a month with no action...
(In reply to Peter K from comment #17) > It's been, depending on how you measure, a month with no action... We are currently planning to include the fixes for this issue in one of the upcoming regular kernel updates for the respective releases. If you need the fix earlier, please contact Red Hat Support (https://www.redhat.com/en/services/support) and request a hotfix and/or kpatch hotfix if eligible.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2016:1277 https://access.redhat.com/errata/RHSA-2016:1277
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2016:1301 https://access.redhat.com/errata/RHSA-2016:1301
This issue has been addressed in the following products: MRG for RHEL-6 v.2 Via RHSA-2016:1341 https://access.redhat.com/errata/RHSA-2016:1341
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2016:1406 https://access.redhat.com/errata/RHSA-2016:1406
This issue has been addressed in the following products: Red Hat Enterprise Linux 6.7 Extended Update Support Via RHSA-2016:1489 https://rhn.redhat.com/errata/RHSA-2016-1489.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 6.4 Advanced Update Support Via RHSA-2016:1581 https://rhn.redhat.com/errata/RHSA-2016-1581.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 6.2 Advanced Update Support Via RHSA-2016:1617 https://rhn.redhat.com/errata/RHSA-2016-1617.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 6.6 Extended Update Support Via RHSA-2016:1640 https://rhn.redhat.com/errata/RHSA-2016-1640.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.1 Extended Update Support Via RHSA-2016:1657 https://rhn.redhat.com/errata/RHSA-2016-1657.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 6.5 Advanced Update Support Via RHSA-2016:1814 https://rhn.redhat.com/errata/RHSA-2016-1814.html