On Tue, Nov 24, 2020 at 05:51:02PM -0600, Shiraz Saleem wrote: > i40iw_mmap manipulates the vma->vm_pgoff to differentiate a push page > mmap vs a doorbell mmap, and uses it to compute the pfn in remap_pfn_range > without any validation. This is vulnerable to an mmap exploit as > described in [1]. > > Push feature is disabled in the driver currently and therefore no push > mmaps are issued from user-space. The feature does not work as expected > in the x722 product. > > Remove the push module parameter and all VMA attribute manipulations > for this feature in i40iw_mmap. Update i40iw_mmap to only allow DB > user mmapings at offset = 0. Check vm_pgoff for zero and if the mmaps > are bound to a single page. > > [1] https://lore.kernel.org/linux-rdma/20201119093523.7588-1-zhudi21@xxxxxxxxxx/raw > > Fixes: d37498417947 ("i40iw: add files for iwarp interface") > Cc: stable@xxxxxxxxxx > Reported-by: Di Zhu <zhudi21@xxxxxxxxxx> > Signed-off-by: Shiraz Saleem <shiraz.saleem@xxxxxxxxx> > drivers/infiniband/hw/i40iw/i40iw_main.c | 4 --- > drivers/infiniband/hw/i40iw/i40iw_verbs.c | 37 +++++----------------------- > 2 files changed, 7 insertions(+), 34 deletions(-) Please compile your patches: drivers/infiniband/hw/i40iw/i40iw_main.c: In function ‘i40iw_setup_init_state’: drivers/infiniband/hw/i40iw/i40iw_main.c:1579:21: error: ‘push_mode’ undeclared (first use in this function); did you mean ‘user_mode’? 1579 | iwdev->push_mode = push_mode; | ^~~~~~~~~ | user_mode drivers/infiniband/hw/i40iw/i40iw_main.c:1579:21: note: each undeclared identifier is reported only once for each function it appears in Jason
