git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Shiraz Saleem <shiraz.saleem@intel.com>
	Wed, 25 Nov 2020 00:56:16 +0000 (18:56 -0600)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Tue, 8 Dec 2020 09:18:55 +0000 (10:18 +0100)
commit	21117ff3f740fd651b85a26dc31579258edf3b7b
tree	e2dd4d3e2fcc6f6b8da7b0297322c6bf838a2cdd	tree
parent	2130fb76895e7fd283a30ceeb288869c817e4e77	commit \| diff

RDMA/i40iw: Address an mmap handler exploit in i40iw

commit 2ed381439e89fa6d1a0839ef45ccd45d99d8e915 upstream.

i40iw_mmap manipulates the vma->vm_pgoff to differentiate a push page mmap
vs a doorbell mmap, and uses it to compute the pfn in remap_pfn_range
without any validation. This is vulnerable to an mmap exploit as described
in: https://lore.kernel.org/r/20201119093523.7588-1-zhudi21@huawei.com

The push feature is disabled in the driver currently and therefore no push
mmaps are issued from user-space. The feature does not work as expected in
the x722 product.

Remove the push module parameter and all VMA attribute manipulations for
this feature in i40iw_mmap. Update i40iw_mmap to only allow DB user
mmapings at offset = 0. Check vm_pgoff for zero and if the mmaps are bound
to a single page.

Cc: <stable@kernel.org>
Fixes: d37498417947 ("i40iw: add files for iwarp interface")
Link: https://lore.kernel.org/r/20201125005616.1800-2-shiraz.saleem@intel.com
Reported-by: Di Zhu <zhudi21@huawei.com>
Signed-off-by: Shiraz Saleem <shiraz.saleem@intel.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

drivers/infiniband/hw/i40iw/i40iw_main.c		diff \| blob \| blame \| history
drivers/infiniband/hw/i40iw/i40iw_verbs.c		diff \| blob \| blame \| history