Bug 1310570 - (CVE-2016-4565) CVE-2016-4565 kernel: infiniband: Unprivileged process can overwrite kernel memory using rdma_ucm.ko
CVE-2016-4565 kernel: infiniband: Unprivileged process can overwrite kernel m...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20160507,repo...
: Security
: 1334217 (view as bug list)
Depends On: 1316685 1332547 1332548 1332553 1332558 1332559 1332560 1332564 1334219 1336754 1340792 1340793 1340794 1340795 1340796 1340797
Blocks: 1310573 1334220
  Show dependency treegraph
 
Reported: 2016-02-22 04:23 EST by Adam Mariš
Modified: 2016-09-25 23:40 EDT (History)
35 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A flaw was found in the way certain interfaces of the Linux kernel's Infiniband subsystem used write() as bi-directional ioctl() replacement, which could lead to insufficient memory security checks when being invoked using the splice() system call. A local unprivileged user on a system with either Infiniband hardware present or RDMA Userspace Connection Manager Access module explicitly loaded, could use this flaw to escalate their privileges on the system.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-09-25 23:40:54 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Adam Mariš 2016-02-22 04:23:51 EST
It was reported that drivers/infiniband stack uses write() as a replacement for bi-directional ioctl(), which is not safe. There are ways to trigger write calls that result in the return structure that is normally written to user space being shunted off to user specified kernel memory instead.

A local unprivileged user on a system with rdma_ucm module loaded could use this flaw to escalate their privileges.

Upstream patch:

https://git.kernel.org/linus/e6bd18f57aad1a2d1ef40e646d03ed0f2515c9e3

CVE-ID request and assignment:

http://seclists.org/oss-sec/2016/q2/269
http://seclists.org/oss-sec/2016/q2/274
Comment 2 Adam Mariš 2016-02-22 04:44:51 EST
Acknowledgments:

Name: Jann Horn
Comment 3 Vladis Dronov 2016-03-10 13:42:47 EST
Statement:

This issue does not affect the Linux kernel packages as shipped with Red Hat Enterprise Linux 5.

This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 6, 7 and Red Hat Enterprise MRG-2. Future Linux kernel updates for the respective releases might address this issue.
Comment 5 Adam Mariš 2016-03-11 09:47:54 EST
Internal CVE assignment: CVE-2016-2189. This is Red Hat's private CVE ID and it was assigned to this security flaw. Please, use it in the public communications regarding this flaw, thank you.

[later update]
please, disregard ^^^. due to the flaw has gone public, MIRTE has allocated another CVE-2016-4565 (http://seclists.org/oss-sec/2016/q2/274). lets stick to using this.
Comment 12 Petr Matousek 2016-05-17 07:50:24 EDT
*** Bug 1334217 has been marked as a duplicate of this bug. ***
Comment 13 Petr Matousek 2016-05-17 07:54:23 EDT
(In reply to Adam Mariš from comment #5)
> Internal CVE assignment: CVE-2016-2189. This is Red Hat's private CVE ID and
> it was assigned to this security flaw. Please, use it in the public
> communications regarding this flaw, thank you.

CVE assigned a new CVE id to this issue as per http://seclists.org/oss-sec/2016/q2/274 . We're going to request CVE-2016-2189 to be rejected.
Comment 14 Petr Matousek 2016-05-17 08:01:25 EDT
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1336754]
Comment 17 Peter K 2016-05-26 03:57:11 EDT
I'm curious, what kind of info is needed?

There is an Important vulnerability and a patch.

It's been, depending on how you measure, a month with no action...
Comment 18 Petr Matousek 2016-05-27 04:57:10 EDT
(In reply to Peter K from comment #17)
> It's been, depending on how you measure, a month with no action...

We are currently planning to include the fixes for this issue in one of the upcoming regular kernel updates for the respective releases. If you need the fix earlier, please contact Red Hat Support (https://www.redhat.com/en/services/support) and request a hotfix and/or kpatch hotfix if eligible.
Comment 23 errata-xmlrpc 2016-06-23 12:23:39 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:1277 https://access.redhat.com/errata/RHSA-2016:1277
Comment 24 errata-xmlrpc 2016-06-23 12:29:45 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:1301 https://access.redhat.com/errata/RHSA-2016:1301
Comment 25 errata-xmlrpc 2016-06-27 06:03:35 EDT
This issue has been addressed in the following products:

  MRG for RHEL-6 v.2

Via RHSA-2016:1341 https://access.redhat.com/errata/RHSA-2016:1341
Comment 27 errata-xmlrpc 2016-07-12 14:34:58 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2016:1406 https://access.redhat.com/errata/RHSA-2016:1406
Comment 28 errata-xmlrpc 2016-07-26 05:58:24 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.7 Extended Update Support

Via RHSA-2016:1489 https://rhn.redhat.com/errata/RHSA-2016-1489.html
Comment 29 errata-xmlrpc 2016-08-09 04:41:19 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.4 Advanced Update Support

Via RHSA-2016:1581 https://rhn.redhat.com/errata/RHSA-2016-1581.html
Comment 30 errata-xmlrpc 2016-08-16 06:32:27 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.2 Advanced Update Support

Via RHSA-2016:1617 https://rhn.redhat.com/errata/RHSA-2016-1617.html
Comment 31 errata-xmlrpc 2016-08-19 06:11:28 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.6 Extended Update Support

Via RHSA-2016:1640 https://rhn.redhat.com/errata/RHSA-2016-1640.html
Comment 32 errata-xmlrpc 2016-08-23 12:11:47 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.1 Extended Update Support

Via RHSA-2016:1657 https://rhn.redhat.com/errata/RHSA-2016-1657.html
Comment 33 errata-xmlrpc 2016-09-06 06:02:48 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.5 Advanced Update Support

Via RHSA-2016:1814 https://rhn.redhat.com/errata/RHSA-2016-1814.html

Note You need to log in before you can comment on or make changes to this bug.