[SRU Focal,Bionic,hwe-5.8 0/3] CVE-2020-36385
Thadeu Lima de Souza Cascardo
cascardo at canonical.com
Mon Oct 11 22:08:10 UTC 2021
[Impact]
If rdma_ucm is loaded, a unprivileged user could cause a UAF during a race
between RDMA_USER_CM_CMD_MIGRATE_ID+close and RDMA_USER_CM_CMD_DESTROY_ID.
[Test case]
A test case that leads to soft lockup was tested. After the fixes, there was no
lockup and the program could be interrupted after multiple runs.
[Backport]
Two other commits were backported because they introduce rdma_lock_handler.
This one was necessary instead of rewriting the code to keep ucma_lock_files,
which would be error-prone. Simply omitting rdma_lock_handler could potentially
lead to other race conditions against the ucma event handlers.
[Potential regression]
Other race conditions on the UCMA/CMA code could have been mistakenly
introduced.
Jason Gunthorpe (3):
RDMA/cma: Add missing locking to rdma_accept()
RDMA/ucma: Fix the locking of ctx->file
RDMA/ucma: Rework ucma_migrate_id() to avoid races with destroy
drivers/infiniband/core/cma.c | 25 +++++++--
drivers/infiniband/core/ucma.c | 96 +++++++++++++++-------------------
include/rdma/rdma_cm.h | 6 +++
3 files changed, 70 insertions(+), 57 deletions(-)
--
2.30.2
More information about the kernel-team
mailing list