> Subject: Re: [PATCH v1 1/2] RDMA/i40iw: Address an mmap handler exploit in > i40iw > > On Tue, Nov 24, 2020 at 05:51:02PM -0600, Shiraz Saleem wrote: > > i40iw_mmap manipulates the vma->vm_pgoff to differentiate a push page > > mmap vs a doorbell mmap, and uses it to compute the pfn in > > remap_pfn_range without any validation. This is vulnerable to an mmap > > exploit as described in [1]. > > > > Push feature is disabled in the driver currently and therefore no push > > mmaps are issued from user-space. The feature does not work as > > expected in the x722 product. > > > > Remove the push module parameter and all VMA attribute manipulations > > for this feature in i40iw_mmap. Update i40iw_mmap to only allow DB > > user mmapings at offset = 0. Check vm_pgoff for zero and if the mmaps > > are bound to a single page. > > > > [1] > > https://lore.kernel.org/linux-rdma/20201119093523.7588-1-zhudi21@huawe > > i.com/raw > > > > Fixes: d37498417947 ("i40iw: add files for iwarp interface") > > Cc: stable@xxxxxxxxxx > > Reported-by: Di Zhu <zhudi21@xxxxxxxxxx> > > Signed-off-by: Shiraz Saleem <shiraz.saleem@xxxxxxxxx> > > drivers/infiniband/hw/i40iw/i40iw_main.c | 4 --- > > drivers/infiniband/hw/i40iw/i40iw_verbs.c | 37 +++++----------------------- > > 2 files changed, 7 insertions(+), 34 deletions(-) > > Please compile your patches: > > drivers/infiniband/hw/i40iw/i40iw_main.c: In function ‘i40iw_setup_init_state’: > drivers/infiniband/hw/i40iw/i40iw_main.c:1579:21: error: ‘push_mode’ undeclared > (first use in this function); did you mean ‘user_mode’? > 1579 | iwdev->push_mode = push_mode; > | ^~~~~~~~~ > | user_mode > drivers/infiniband/hw/i40iw/i40iw_main.c:1579:21: note: each undeclared identifier is > reported only once for each function it appears in > Sorry! Goofed up. Had only compiled the series. Sent v2.
