git.baikalelectronics.ru Git - kernel.git/commit

author	Shiraz Saleem <shiraz.saleem@intel.com>
	Wed, 25 Nov 2020 00:56:16 +0000 (18:56 -0600)
committer	Jason Gunthorpe <jgg@nvidia.com>
	Wed, 25 Nov 2020 14:38:11 +0000 (10:38 -0400)
commit	4d03dd185352ce04c558596172a2f052957b09ac
tree	78a625fdde5271e1e798458ea9fda9b4eca96fd4	tree \| snapshot
parent	3f4f51f2923f921d8625c2070196790cd345613d	commit \| diff

RDMA/i40iw: Address an mmap handler exploit in i40iw

i40iw_mmap manipulates the vma->vm_pgoff to differentiate a push page mmap
vs a doorbell mmap, and uses it to compute the pfn in remap_pfn_range
without any validation. This is vulnerable to an mmap exploit as described
in: https://lore.kernel.org/r/20201119093523.7588-1-zhudi21@huawei.com

The push feature is disabled in the driver currently and therefore no push
mmaps are issued from user-space. The feature does not work as expected in
the x722 product.

Remove the push module parameter and all VMA attribute manipulations for
this feature in i40iw_mmap. Update i40iw_mmap to only allow DB user
mmapings at offset = 0. Check vm_pgoff for zero and if the mmaps are bound
to a single page.

Cc: <stable@kernel.org>
Fixes: d1d17ea4bcb8 ("i40iw: add files for iwarp interface")
Link: https://lore.kernel.org/r/20201125005616.1800-2-shiraz.saleem@intel.com
Reported-by: Di Zhu <zhudi21@huawei.com>
Signed-off-by: Shiraz Saleem <shiraz.saleem@intel.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>

drivers/infiniband/hw/i40iw/i40iw_main.c		diff \| blob \| history
drivers/infiniband/hw/i40iw/i40iw_verbs.c		diff \| blob \| history