Re: CVE Request: Linux: IB/security: Restrict use of the write() interface'

["ira.weiny" <ira.weiny () intel com>]

On Mon, May 09, 2016 at 09:48:59PM +0200, Yann Droneaud wrote:
> Hi,
>
>
> As a workaround, I would suggest that systems which do not require
> (userspace) RDMA/Infiniband to blacklist/remove the following modules:
>
>   rdma_ucm
>   ib_uverbs
>   ib_ucm
>   ib_umad

NOTE: AFAICT ib_umad is not vulnerable as it uses correct write/read semantics.
However, if you are disabling the other modules you probably have no use for
ib_umad either.

Ira

> For example, adds the following in /etc/modprobe.d/blacklist.conf
>
>   blacklist rdma_ucm
>   blacklist ib_uverbs
>   blacklist ib_ucm
>   blacklist ib_umad
>
> Those building their own kernel might want to disable, if not already,
>
>   CONFIG_INFINIBAND_USER_ACCESS, 
>   CONFIG_INFINIBAND_USER_MAD,
>   CONFIG_INFINIBAND_ADDR_TRANS
>
> (Unfortunately the last one will also disable those features:
>   iSCSI Extensions for RDMA (iSER)
>   iSCSI Extensions for RDMA (iSER) target support
>   RDS over Infiniband and iWARP
>   9P RDMA Transport (Experimental)
>   RPC-over-RDMA transport
>     (which actually disable NFSoRDMA))
>
> Regards.
>
> -- 
> Yann Droneaud
> OPTEYA
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-rdma" in
> the body of a message to majordomo () vger kernel org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html