diff options
| author | Shiraz Saleem <shiraz.saleem@intel.com> | 2020-11-24 18:56:16 -0600 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2020-12-08 10:40:28 +0100 |
| commit | 4460a7c979ee969c318ac9f5b764b0c2680f49e9 (patch) | |
| tree | 464e539b565c85aaf82eb33adc856074d0c5264e /scripts/mod | |
| parent | 07434172c58b4b8aa8c3af5fad1ae32df4c6494f (diff) | |
| download | linux-4460a7c979ee969c318ac9f5b764b0c2680f49e9.tar.gz linux-4460a7c979ee969c318ac9f5b764b0c2680f49e9.tar.bz2 linux-4460a7c979ee969c318ac9f5b764b0c2680f49e9.zip | |
RDMA/i40iw: Address an mmap handler exploit in i40iw
commit 2ed381439e89fa6d1a0839ef45ccd45d99d8e915 upstream.
i40iw_mmap manipulates the vma->vm_pgoff to differentiate a push page mmap
vs a doorbell mmap, and uses it to compute the pfn in remap_pfn_range
without any validation. This is vulnerable to an mmap exploit as described
in: https://lore.kernel.org/r/20201119093523.7588-1-zhudi21@huawei.com
The push feature is disabled in the driver currently and therefore no push
mmaps are issued from user-space. The feature does not work as expected in
the x722 product.
Remove the push module parameter and all VMA attribute manipulations for
this feature in i40iw_mmap. Update i40iw_mmap to only allow DB user
mmapings at offset = 0. Check vm_pgoff for zero and if the mmaps are bound
to a single page.
Cc: <stable@kernel.org>
Fixes: d37498417947 ("i40iw: add files for iwarp interface")
Link: https://lore.kernel.org/r/20201125005616.1800-2-shiraz.saleem@intel.com
Reported-by: Di Zhu <zhudi21@huawei.com>
Signed-off-by: Shiraz Saleem <shiraz.saleem@intel.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'scripts/mod')
0 files changed, 0 insertions, 0 deletions