It was reported that drivers/infiniband stack uses write() as a replacement for bi-directional ioctl(), which is not safe. There are ways to trigger write calls that result in the return structure that is normally written to user space being shunted off to user specified kernel memory instead. Upstream patch: https://git.kernel.org/linus/e6bd18f57aad1a2d1ef40e646d03ed0f2515c9e3 CVE request: http://seclists.org/oss-sec/2016/q2/269
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 1334219]
Can confirm that PoC from: http://marc.info/?l=linux-rdma&m=146281689725834&w=2 Works on a fully updated 6.7. How is this a low severity at this point? We've locally backported and verified the upstream patch set. I added an additional patch for umad which seemed to have a simlar code path in: @@ -445,6 +446,9 @@ static ssize_t ib_umad_write(struct...
*** This bug has been marked as a duplicate of bug 1310570 ***