CVE 2014-8159 vulnerability

Redhat released yesterday a new kernel and seems that there is local root hole in (u)verbs implementation. Has anyone figured out is MLNX OFED affected as well?

It was found that the Linux kernel’s Infiniband subsystem did not

properly sanitize input parameters while registering memory regions from

user space via the (u)verbs API. A local user with access to a

/dev/infiniband/uverbsX device could use this flaw to crash the system or,

potentially, escalate their privileges on the system. (CVE-2014-8159,

Important)

Seems that MLNX_OFED-2.4 does not have this check, so it's time to patch and rebuild IB drivers :-(

diff -ur linux-2.6.32-504.8.1.el6/drivers/infiniband/core/umem.c linux-2.6.32-504.12.2.el6/drivers/infiniband/core/umem.c

— linux-2.6.32-504.8.1.el6/drivers/infiniband/core/umem.c 2014-12-19 18:31:21.000000000 +0200

+++ linux-2.6.32-504.12.2.el6/drivers/infiniband/core/umem.c 2015-02-01 18:24:27.000000000 +0200

@@ -92,6 +92,14 @@

if (dmasync)

dma_set_attr(DMA_ATTR_WRITE_BARRIER, &attrs);

• /*

• • If the combination of the addr and size requested for this memory
• • region causes an integer overflow, return error.

• */

• if ((PAGE_ALIGN(addr + size) <= size) ||

• (PAGE_ALIGN(addr + size) <= addr))

• return ERR_PTR(-EINVAL);

if (!can_do_mlock())

return ERR_PTR(-EPERM);

Thanks for the heads up!

Mellanox has released an updated version of the 2.4-1 release to address issue :

Mellanox Products: Mellanox OpenFabrics Enterprise Distribution for Linux (MLNX_OFED) http://www.mellanox.com/page/products_dyn?product_family=26&mtag=linux_sw_drivers

I noticed that while mellanox reported the problem to redhat (promptly fixed) upstream Linux kernel and ofed seem out of the loop (or atleast not fixing). I base this on the patch being missing from both Linux git master and ofed-3.18-daily.

Also the available cve info at nvd and mitre is missing lots of information (most significantly that most everybody using ib is vulnerable until updated).