Bug 1334217 - CVE-2016-4565 kernel: infiniband: Using write() instead of bi-directional ioctl() allows writing into user specified kernel memory
Summary: CVE-2016-4565 kernel: infiniband: Using write() instead of bi-directional ioc...
Keywords:
Status: CLOSED DUPLICATE of bug 1310570
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1334219
Blocks: 1334220
TreeView+ depends on / blocked
 
Reported: 2016-05-09 08:04 UTC by Adam Mariš
Modified: 2019-09-29 13:49 UTC (History)
37 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-05-17 11:50:24 UTC


Attachments (Terms of Use)

Description Adam Mariš 2016-05-09 08:04:55 UTC
It was reported that drivers/infiniband stack uses write() as a replacement for bi-directional ioctl(), which is not safe. There are ways to trigger write calls that result in the return structure that is normally written to user space being shunted off to user specified kernel memory instead.

Upstream patch:

https://git.kernel.org/linus/e6bd18f57aad1a2d1ef40e646d03ed0f2515c9e3

CVE request:

http://seclists.org/oss-sec/2016/q2/269

Comment 1 Adam Mariš 2016-05-09 08:08:07 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1334219]

Comment 2 Peter K 2016-05-10 13:30:34 UTC
Can confirm that PoC from:

 http://marc.info/?l=linux-rdma&m=146281689725834&w=2

Works on a fully updated 6.7. How is this a low severity at this point?

We've locally backported and verified the upstream patch set. I added an additional patch for umad which seemed to have a simlar code path in:

@@ -445,6 +446,9 @@ static ssize_t ib_umad_write(struct...

Comment 3 Petr Matousek 2016-05-17 11:50:24 UTC

*** This bug has been marked as a duplicate of bug 1310570 ***


Note You need to log in before you can comment on or make changes to this bug.