oss-sec mailing list archives
Re: CVE Request: Linux: IB/security: Restrict use of the write() interface'
From: "ira.weiny" <ira.weiny () intel com>
Date: Wed, 11 May 2016 20:12:32 -0400
On Mon, May 09, 2016 at 09:48:59PM +0200, Yann Droneaud wrote:
Hi, As a workaround, I would suggest that systems which do not require (userspace) RDMA/Infiniband to blacklist/remove the following modules: rdma_ucm ib_uverbs ib_ucm ib_umad
NOTE: AFAICT ib_umad is not vulnerable as it uses correct write/read semantics. However, if you are disabling the other modules you probably have no use for ib_umad either. Ira
For example, adds the following in /etc/modprobe.d/blacklist.conf blacklist rdma_ucm blacklist ib_uverbs blacklist ib_ucm blacklist ib_umad Those building their own kernel might want to disable, if not already, CONFIG_INFINIBAND_USER_ACCESS, CONFIG_INFINIBAND_USER_MAD, CONFIG_INFINIBAND_ADDR_TRANS (Unfortunately the last one will also disable those features: iSCSI Extensions for RDMA (iSER) iSCSI Extensions for RDMA (iSER) target support RDS over Infiniband and iWARP 9P RDMA Transport (Experimental) RPC-over-RDMA transport (which actually disable NFSoRDMA)) Regards. -- Yann Droneaud OPTEYA -- To unsubscribe from this list: send the line "unsubscribe linux-rdma" in the body of a message to majordomo () vger kernel org More majordomo info at http://vger.kernel.org/majordomo-info.html
Current thread:
- CVE Request: Linux: IB/security: Restrict use of the write() interface' Salvatore Bonaccorso (May 06)
- Re: CVE Request: Linux: IB/security: Restrict use of the write() interface' cve-assign (May 07)
- Message not available
- Message not available
- Re: CVE Request: Linux: IB/security: Restrict use of the write() interface' Yann Droneaud (May 09)
- Re: CVE Request: Linux: IB/security: Restrict use of the write() interface' Jann Horn (May 09)
- Message not available
- Re: CVE Request: Linux: IB/security: Restrict use of the write() interface' Yann Droneaud (May 09)
- Re: CVE Request: Linux: IB/security: Restrict use of the write() interface' ira.weiny (May 12)