RDMA/i40iw: Address an mmap handler exploit in i40iw - kernel/linux.git

diff options

author	Shiraz Saleem <shiraz.saleem@intel.com>	2020-11-25 03:56:16 +0300
committer	Jason Gunthorpe <jgg@nvidia.com>	2020-11-25 17:38:11 +0300
commit	2ed381439e89fa6d1a0839ef45ccd45d99d8e915 (patch)
tree	78a625fdde5271e1e798458ea9fda9b4eca96fd4 /tools/perf/scripts/python/export-to-sqlite.py
parent	6830ff853a5764c75e56750d59d0bbb6b26f1835 (diff)
download	linux-2ed381439e89fa6d1a0839ef45ccd45d99d8e915.tar.xz

RDMA/i40iw: Address an mmap handler exploit in i40iw

i40iw_mmap manipulates the vma->vm_pgoff to differentiate a push page mmap vs a doorbell mmap, and uses it to compute the pfn in remap_pfn_range without any validation. This is vulnerable to an mmap exploit as described in: https://lore.kernel.org/r/20201119093523.7588-1-zhudi21@huawei.com The push feature is disabled in the driver currently and therefore no push mmaps are issued from user-space. The feature does not work as expected in the x722 product. Remove the push module parameter and all VMA attribute manipulations for this feature in i40iw_mmap. Update i40iw_mmap to only allow DB user mmapings at offset = 0. Check vm_pgoff for zero and if the mmaps are bound to a single page. Cc: <stable@kernel.org> Fixes: d37498417947 ("i40iw: add files for iwarp interface") Link: https://lore.kernel.org/r/20201125005616.1800-2-shiraz.saleem@intel.com Reported-by: Di Zhu <zhudi21@huawei.com> Signed-off-by: Shiraz Saleem <shiraz.saleem@intel.com> Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>

Diffstat (limited to 'tools/perf/scripts/python/export-to-sqlite.py')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: