On Wed, Dec 02, 2020 at 11:20:09AM -0600, Shiraz Saleem wrote:
From: "Saleem, Shiraz" shiraz.saleem@intel.com
backport of commit 2ed381439e89fa6d1a0839ef45ccd45d99d8e915 upstream.
i40iw_mmap manipulates the vma->vm_pgoff to differentiate a push page mmap vs a doorbell mmap, and uses it to compute the pfn in remap_pfn_range without any validation. This is vulnerable to an mmap exploit as described in: https://lore.kernel.org/r/20201119093523.7588-1-zhudi21@huawei.com
The push feature is disabled in the driver currently and therefore no push mmaps are issued from user-space. The feature does not work as expected in the x722 product.
Remove the push module parameter and all VMA attribute manipulations for this feature in i40iw_mmap. Update i40iw_mmap to only allow DB user mmapings at offset = 0. Check vm_pgoff for zero and if the mmaps are bound to a single page.
Fixes: d37498417947 ("i40iw: add files for iwarp interface") Link: https://lore.kernel.org/r/20201125005616.1800-2-shiraz.saleem@intel.com Reported-by: Di Zhu zhudi21@huawei.com Signed-off-by: Shiraz Saleem shiraz.saleem@intel.com
drivers/infiniband/hw/i40iw/i40iw_main.c | 5 ----- drivers/infiniband/hw/i40iw/i40iw_verbs.c | 36 ++++++------------------------- 2 files changed, 7 insertions(+), 34 deletions(-)
All backports now queued up, thanks.
greg k-h