APPLIED: [SRU Focal,Bionic,hwe-5.8 0/3] CVE-2020-36385

Kleber Souza kleber.souza at canonical.com
Thu Oct 14 14:56:45 UTC 2021


On 12.10.21 00:08, Thadeu Lima de Souza Cascardo wrote:
> [Impact]
> If rdma_ucm is loaded, a unprivileged user could cause a UAF during a race
> between RDMA_USER_CM_CMD_MIGRATE_ID+close and RDMA_USER_CM_CMD_DESTROY_ID.
> 
> [Test case]
> A test case that leads to soft lockup was tested. After the fixes, there was no
> lockup and the program could be interrupted after multiple runs.
> 
> [Backport]
> Two other commits were backported because they introduce rdma_lock_handler.
> This one was necessary instead of rewriting the code to keep ucma_lock_files,
> which would be error-prone. Simply omitting rdma_lock_handler could potentially
> lead to other race conditions against the ucma event handlers.
> 
> [Potential regression]
> Other race conditions on the UCMA/CMA code could have been mistakenly
> introduced.
> 
> 
> Jason Gunthorpe (3):
>    RDMA/cma: Add missing locking to rdma_accept()
>    RDMA/ucma: Fix the locking of ctx->file
>    RDMA/ucma: Rework ucma_migrate_id() to avoid races with destroy
> 
>   drivers/infiniband/core/cma.c  | 25 +++++++--
>   drivers/infiniband/core/ucma.c | 96 +++++++++++++++-------------------
>   include/rdma/rdma_cm.h         |  6 +++
>   3 files changed, 70 insertions(+), 57 deletions(-)
> 

Applied to bionic:linux, focal:linux and focal:linux-hwe-5.8.

Thanks,
Kleber




More information about the kernel-team mailing list