Difference between revisions of "EGI CSIRT:Alerts/rds-rdma-2010-11-02"
Jump to navigation
Jump to search
Line 9: | Line 9: | ||
Date: November 01, 2010 | Date: November 01, 2010 | ||
Last update: November 01, 2010 | Last update: November 01, 2010 | ||
URL: https://wiki.egi.eu/ | URL: https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts/rds-rdma-2010-11-02 | ||
Introduction | Introduction | ||
Line 28: | Line 27: | ||
Details | Details | ||
======= | ======= | ||
As reported by Thomas Pollet, the rdma page counting can overflow. We get the | |||
rdma sizes in 64-bit unsigned entities, but then limit it to UINT_MAX bytes and | |||
shift them down to pages (so with a possible "+1" for an unaligned address). | |||
So each individual page count fits comfortably in an 'unsigned int' (not even | |||
close to overflowing into signed), but as they are added up, they might end up | |||
resulting in a signed return value. Which would be wrong. | |||
Catch the case of tot_pages turning negative, and return the appropriate error | |||
code. | |||
Line 80: | Line 89: | ||
https://bugzilla.redhat.com/show_bug.cgi?id=647416 | https://bugzilla.redhat.com/show_bug.cgi?id=647416 | ||
https://www.redhat.com/security/data/cve/CVE-2010-3865.html | https://www.redhat.com/security/data/cve/CVE-2010-3865.html | ||
For discussions on the details of the bug resulting in a buffer overflow: | |||
http://www.spinics.net/lists/netdev/msg145359.html | |||
http://www.spinics.net/lists/netdev/msg145397.html | |||
</pre> | </pre> |
Revision as of 17:16, 2 November 2010
========== DRAFT ===========
** WHITE information - Unlimited distribution allowed ** ** see https://wiki.egi.eu/wiki/EGI_CSIRT:TLP for distribution restrictions ** EGI CSIRT ADVISORY [EGI-ADV-20101102] Title: HIGH Vulnerability CVE-2010-3865 kernel: iovec integer overflow in net/rds/rdma.c [EGI-ADV-20101102] Date: November 01, 2010 Last update: November 01, 2010 URL: https://wiki.egi.eu/wiki/EGI_CSIRT:Alerts/rds-rdma-2010-11-02 Introduction ============ Another problem in the RDS-Module is detected: https://bugzilla.redhat.com/show_bug.cgi?id=647416 it looks like they think it might even be possible to remotely exploit this over an Infiniband network ("Access Vector: Adjacent"). But, presumably, for this to be exploitable *over the network*, the victim host would have to listen on an RDS socket, which should be very rare. But locally it's probably exploitable on any machine. Note that the kernel update fixing CVE-2010-3904 does *not* fix CVE-2010-3865. The EGI CSIRT considers this to be a IMPORTANT vulnerability. Details ======= As reported by Thomas Pollet, the rdma page counting can overflow. We get the rdma sizes in 64-bit unsigned entities, but then limit it to UINT_MAX bytes and shift them down to pages (so with a possible "+1" for an unaligned address). So each individual page count fits comfortably in an 'unsigned int' (not even close to overflowing into signed), but as they are added up, they might end up resulting in a signed return value. Which would be wrong. Catch the case of tot_pages turning negative, and return the appropriate error code. Mitigation ========== Most systems do not utilize RDS and can simply block the vulnerability by blacklisting the RDS module (after unloading it if it is present), for instance by running this script: ------------------ #!/bin/sh # Unload the module if lsmod | grep -q '^rds '; then echo "RDS was loaded" fi rmmod rds 2>/dev/null if lsmod | grep -q '^rds '; then echo "FAILED to unload RDS" fi # Blacklist the module echo "install rds /bin/true" > /etc/modprobe.d/disable-rds echo "alias net-pf-28 off" > /etc/modprobe.d/disable-rds" ------------------ This will take effect immediately and does not require a reboot. The blacklisting will stay persistent across reboots. Please note that some clusters with Infiniband may actually use RDS. In these cases, the only solution is to deploy a patched kernel. Recommendations =============== Immediately apply the mitigation described above to all user-accessible systems. Apply vendor kernel updates when they become available. Since the rds module seems to have more problems it would be safer to keep this module blacklisted if not needed at your site. References ========== https://bugzilla.redhat.com/show_bug.cgi?id=647416 https://www.redhat.com/security/data/cve/CVE-2010-3865.html For discussions on the details of the bug resulting in a buffer overflow: http://www.spinics.net/lists/netdev/msg145359.html http://www.spinics.net/lists/netdev/msg145397.html