Bug 1310570 (CVE-2016-4565) - CVE-2016-4565 kernel: infiniband: Unprivileged process can overwrite kernel memory using rdma_ucm.ko
Summary: CVE-2016-4565 kernel: infiniband: Unprivileged process can overwrite kernel m...
Status: CLOSED ERRATA
Alias: CVE-2016-4565
Product: Security Response
Classification: Other
Component: vulnerability   
(Show other bugs)
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,public=20160507,repo...
Keywords: Security
: 1334217 (view as bug list)
Depends On: 1316685 1332547 1332548 1332553 1332558 1332559 1332560 1332564 1334219 1336754 1340792 1340793 1340794 1340795 1340796 1340797
Blocks: 1310573 1334220
TreeView+ depends on / blocked
 
Reported: 2016-02-22 09:23 UTC by Adam Mariš
Modified: 2016-09-26 03:40 UTC (History)
35 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A flaw was found in the way certain interfaces of the Linux kernel's Infiniband subsystem used write() as bi-directional ioctl() replacement, which could lead to insufficient memory security checks when being invoked using the splice() system call. A local unprivileged user on a system with either Infiniband hardware present or RDMA Userspace Connection Manager Access module explicitly loaded, could use this flaw to escalate their privileges on the system.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-09-26 03:40:54 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:1277 normal SHIPPED_LIVE Important: kernel security and bug fix update 2016-06-23 20:14:36 UTC
Red Hat Product Errata RHSA-2016:1301 normal SHIPPED_LIVE Important: kernel-rt security, bug fix, and enhancement update 2016-06-23 20:15:04 UTC
Red Hat Product Errata RHSA-2016:1341 normal SHIPPED_LIVE Important: kernel-rt security and bug fix update 2016-06-27 14:02:50 UTC
Red Hat Product Errata RHSA-2016:1406 normal SHIPPED_LIVE Important: kernel security and bug fix update 2016-07-12 22:30:05 UTC
Red Hat Product Errata RHSA-2016:1489 normal SHIPPED_LIVE Important: kernel security, bug fix, and enhancement update 2016-07-26 13:58:01 UTC
Red Hat Product Errata RHSA-2016:1581 normal SHIPPED_LIVE Important: kernel security update 2016-08-09 12:41:08 UTC
Red Hat Product Errata RHSA-2016:1617 normal SHIPPED_LIVE Important: kernel security update 2016-08-16 14:31:13 UTC
Red Hat Product Errata RHSA-2016:1640 normal SHIPPED_LIVE Important: kernel security and bug fix update 2016-08-19 14:11:17 UTC
Red Hat Product Errata RHSA-2016:1657 normal SHIPPED_LIVE Important: kernel security update 2016-08-23 20:11:31 UTC
Red Hat Product Errata RHSA-2016:1814 normal SHIPPED_LIVE Important: kernel security and bug fix update 2016-09-06 13:59:05 UTC

Description Adam Mariš 2016-02-22 09:23:51 UTC
It was reported that drivers/infiniband stack uses write() as a replacement for bi-directional ioctl(), which is not safe. There are ways to trigger write calls that result in the return structure that is normally written to user space being shunted off to user specified kernel memory instead.

A local unprivileged user on a system with rdma_ucm module loaded could use this flaw to escalate their privileges.

Upstream patch:

https://git.kernel.org/linus/e6bd18f57aad1a2d1ef40e646d03ed0f2515c9e3

CVE-ID request and assignment:

http://seclists.org/oss-sec/2016/q2/269
http://seclists.org/oss-sec/2016/q2/274

Comment 2 Adam Mariš 2016-02-22 09:44:51 UTC
Acknowledgments:

Name: Jann Horn

Comment 3 Vladis Dronov 2016-03-10 18:42:47 UTC
Statement:

This issue does not affect the Linux kernel packages as shipped with Red Hat Enterprise Linux 5.

This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 6, 7 and Red Hat Enterprise MRG-2. Future Linux kernel updates for the respective releases might address this issue.

Comment 5 Adam Mariš 2016-03-11 14:47:54 UTC
Internal CVE assignment: CVE-2016-2189. This is Red Hat's private CVE ID and it was assigned to this security flaw. Please, use it in the public communications regarding this flaw, thank you.

[later update]
please, disregard ^^^. due to the flaw has gone public, MIRTE has allocated another CVE-2016-4565 (http://seclists.org/oss-sec/2016/q2/274). lets stick to using this.

Comment 12 Petr Matousek 2016-05-17 11:50:24 UTC
*** Bug 1334217 has been marked as a duplicate of this bug. ***

Comment 13 Petr Matousek 2016-05-17 11:54:23 UTC
(In reply to Adam Mariš from comment #5)
> Internal CVE assignment: CVE-2016-2189. This is Red Hat's private CVE ID and
> it was assigned to this security flaw. Please, use it in the public
> communications regarding this flaw, thank you.

CVE assigned a new CVE id to this issue as per http://seclists.org/oss-sec/2016/q2/274 . We're going to request CVE-2016-2189 to be rejected.

Comment 14 Petr Matousek 2016-05-17 12:01:25 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1336754]

Comment 17 Peter K 2016-05-26 07:57:11 UTC
I'm curious, what kind of info is needed?

There is an Important vulnerability and a patch.

It's been, depending on how you measure, a month with no action...

Comment 18 Petr Matousek 2016-05-27 08:57:10 UTC
(In reply to Peter K from comment #17)
> It's been, depending on how you measure, a month with no action...

We are currently planning to include the fixes for this issue in one of the upcoming regular kernel updates for the respective releases. If you need the fix earlier, please contact Red Hat Support (https://www.redhat.com/en/services/support) and request a hotfix and/or kpatch hotfix if eligible.

Comment 23 errata-xmlrpc 2016-06-23 16:23:39 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:1277 https://access.redhat.com/errata/RHSA-2016:1277

Comment 24 errata-xmlrpc 2016-06-23 16:29:45 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:1301 https://access.redhat.com/errata/RHSA-2016:1301

Comment 25 errata-xmlrpc 2016-06-27 10:03:35 UTC
This issue has been addressed in the following products:

  MRG for RHEL-6 v.2

Via RHSA-2016:1341 https://access.redhat.com/errata/RHSA-2016:1341

Comment 27 errata-xmlrpc 2016-07-12 18:34:58 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2016:1406 https://access.redhat.com/errata/RHSA-2016:1406

Comment 28 errata-xmlrpc 2016-07-26 09:58:24 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.7 Extended Update Support

Via RHSA-2016:1489 https://rhn.redhat.com/errata/RHSA-2016-1489.html

Comment 29 errata-xmlrpc 2016-08-09 08:41:19 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.4 Advanced Update Support

Via RHSA-2016:1581 https://rhn.redhat.com/errata/RHSA-2016-1581.html

Comment 30 errata-xmlrpc 2016-08-16 10:32:27 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.2 Advanced Update Support

Via RHSA-2016:1617 https://rhn.redhat.com/errata/RHSA-2016-1617.html

Comment 31 errata-xmlrpc 2016-08-19 10:11:28 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.6 Extended Update Support

Via RHSA-2016:1640 https://rhn.redhat.com/errata/RHSA-2016-1640.html

Comment 32 errata-xmlrpc 2016-08-23 16:11:47 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.1 Extended Update Support

Via RHSA-2016:1657 https://rhn.redhat.com/errata/RHSA-2016-1657.html

Comment 33 errata-xmlrpc 2016-09-06 10:02:48 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.5 Advanced Update Support

Via RHSA-2016:1814 https://rhn.redhat.com/errata/RHSA-2016-1814.html


Note You need to log in before you can comment on or make changes to this bug.