[v2,0/2] Fix an mmap exploit and remove push in i40iw

Message ID	20201125005616.1800-1-shiraz.saleem@intel.com (mailing list archive)
Headers	show Return-Path: <linux-rdma-owner@kernel.org> IronPort-SDR: wxiGyuqLOqPyARXNf3+qQo+3zY8JE7Aq/Pv/tATSw4M1yD/NFzYREoTamh355KbIP3GMvRlXfd /6I963nkojkA== IronPort-SDR: juY/dWv04mAhHsn5FMykg5mxxJ2lgDYnrpEtz1T7jRDxtZIj8ldn0ofMLvR456bu9XhwC9XMPM U2r1PvQIzMzw== From: Shiraz Saleem <shiraz.saleem@intel.com> To: dledford@redhat.com, jgg@nvidia.com Cc: linux-rdma@vger.kernel.org, stable@kernel.org, Shiraz Saleem <shiraz.saleem@intel.com> Subject: [PATCH v2 0/2] Fix an mmap exploit and remove push in i40iw Date: Tue, 24 Nov 2020 18:56:14 -0600 Message-Id: <20201125005616.1800-1-shiraz.saleem@intel.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	Fix an mmap exploit and remove push in i40iw \| expand [v2,0/2] Fix an mmap exploit and remove push in i40iw [v2,1/2] RDMA/i40iw: Address an mmap handler exploit in i40iw [v2,2/2] RDMA/i40iw: Remove push code from i40iw

Message ID

20201125005616.1800-1-shiraz.saleem@intel.com (mailing list archive)

Headers

IronPort-SDR: 
 wxiGyuqLOqPyARXNf3+qQo+3zY8JE7Aq/Pv/tATSw4M1yD/NFzYREoTamh355KbIP3GMvRlXfd
 /6I963nkojkA==
IronPort-SDR: 
 juY/dWv04mAhHsn5FMykg5mxxJ2lgDYnrpEtz1T7jRDxtZIj8ldn0ofMLvR456bu9XhwC9XMPM
 U2r1PvQIzMzw==
From: Shiraz Saleem <shiraz.saleem@intel.com>
To: dledford@redhat.com, jgg@nvidia.com
Cc: linux-rdma@vger.kernel.org, stable@kernel.org,
        Shiraz Saleem <shiraz.saleem@intel.com>
Subject: [PATCH v2 0/2] Fix an mmap exploit and remove push in i40iw
Date: Tue, 24 Nov 2020 18:56:14 -0600
Message-Id: <20201125005616.1800-1-shiraz.saleem@intel.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

Fix an mmap exploit and remove push in i40iw | expand

Message

Shiraz Saleem Nov. 25, 2020, 12:56 a.m. UTC

i40iw_mmap is vulnerable to an mmap exploit due to its manipulation on
vma->vm_pgoff done for the push feature, and its subsequent use in
remap_pfn_range without validation.

Patch #1 fixes the mmap exploit in i40iw_mmap and can be backported to stable if acceptable.

Patch #2 removes the push feature from the driver

v0-->v1:
* Add missing cc and reported by tags in Patch #1
v1-->v2:
* Fix compile issue in Patch #1

Shiraz Saleem (2):
  RDMA/i40iw: Address an mmap handler exploit in i40iw
  RDMA/i40iw: Remove push code from i40iw

 drivers/infiniband/hw/i40iw/i40iw.h        |    1 -
 drivers/infiniband/hw/i40iw/i40iw_ctrl.c   |   52 +------------
 drivers/infiniband/hw/i40iw/i40iw_d.h      |   35 +++-----
 drivers/infiniband/hw/i40iw/i40iw_main.c   |    5 -
 drivers/infiniband/hw/i40iw/i40iw_status.h |    1 -
 drivers/infiniband/hw/i40iw/i40iw_type.h   |   18 ----
 drivers/infiniband/hw/i40iw/i40iw_uk.c     |   41 +--------
 drivers/infiniband/hw/i40iw/i40iw_user.h   |    8 --
 drivers/infiniband/hw/i40iw/i40iw_verbs.c  |  123 ++--------------------------
 9 files changed, 25 insertions(+), 259 deletions(-)