git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Shiraz Saleem <shiraz.saleem@intel.com>
	Wed, 25 Nov 2020 00:56:16 +0000 (18:56 -0600)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Tue, 8 Dec 2020 09:17:34 +0000 (10:17 +0100)
commit	f4ecb41aa3f154d8020a586a591d49f23e219dcc
tree	b0116bd32d16078b6aea62d9e1ae5f905dddabda	tree \| snapshot
parent	79412fb4ce77002585c3ca058dbf929f6d3879a8	commit \| diff

RDMA/i40iw: Address an mmap handler exploit in i40iw

commit 2ed381439e89fa6d1a0839ef45ccd45d99d8e915 upstream.

i40iw_mmap manipulates the vma->vm_pgoff to differentiate a push page mmap
vs a doorbell mmap, and uses it to compute the pfn in remap_pfn_range
without any validation. This is vulnerable to an mmap exploit as described
in: https://lore.kernel.org/r/20201119093523.7588-1-zhudi21@huawei.com

The push feature is disabled in the driver currently and therefore no push
mmaps are issued from user-space. The feature does not work as expected in
the x722 product.

Remove the push module parameter and all VMA attribute manipulations for
this feature in i40iw_mmap. Update i40iw_mmap to only allow DB user
mmapings at offset = 0. Check vm_pgoff for zero and if the mmaps are bound
to a single page.

Cc: <stable@kernel.org>
Fixes: d37498417947 ("i40iw: add files for iwarp interface")
Link: https://lore.kernel.org/r/20201125005616.1800-2-shiraz.saleem@intel.com
Reported-by: Di Zhu <zhudi21@huawei.com>
Signed-off-by: Shiraz Saleem <shiraz.saleem@intel.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

drivers/infiniband/hw/i40iw/i40iw_main.c		diff \| blob \| blame \| history
drivers/infiniband/hw/i40iw/i40iw_verbs.c		diff \| blob \| blame \| history