On Tue, Nov 24, 2020 at 06:56:16PM -0600, Shiraz Saleem wrote: > i40iw_mmap manipulates the vma->vm_pgoff to differentiate a push page > mmap vs a doorbell mmap, and uses it to compute the pfn in remap_pfn_range > without any validation. This is vulnerable to an mmap exploit as > described in [1]. > > Push feature is disabled in the driver currently and therefore no push > mmaps are issued from user-space. The feature does not work as expected > in the x722 product. > > Remove the push module parameter and all VMA attribute manipulations > for this feature in i40iw_mmap. Update i40iw_mmap to only allow DB > user mmapings at offset = 0. Check vm_pgoff for zero and if the mmaps > are bound to a single page. > > [1] https://lore.kernel.org/linux-rdma/20201119093523.7588-1-zhudi21@xxxxxxxxxx/raw > > Fixes: d37498417947 ("i40iw: add files for iwarp interface") > Cc: stable@xxxxxxxxxx > Reported-by: Di Zhu <zhudi21@xxxxxxxxxx> > Signed-off-by: Shiraz Saleem <shiraz.saleem@xxxxxxxxx> > --- > drivers/infiniband/hw/i40iw/i40iw_main.c | 5 ---- > drivers/infiniband/hw/i40iw/i40iw_verbs.c | 37 +++++----------------------- > 2 files changed, 7 insertions(+), 35 deletions(-) Applied to for-rc, thanks Jason
