mirror of
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
synced 2025-09-04 20:19:47 +08:00
2ed381439e
i40iw_mmap manipulates the vma->vm_pgoff to differentiate a push page mmap
vs a doorbell mmap, and uses it to compute the pfn in remap_pfn_range
without any validation. This is vulnerable to an mmap exploit as described
in: https://lore.kernel.org/r/20201119093523.7588-1-zhudi21@huawei.com
The push feature is disabled in the driver currently and therefore no push
mmaps are issued from user-space. The feature does not work as expected in
the x722 product.
Remove the push module parameter and all VMA attribute manipulations for
this feature in i40iw_mmap. Update i40iw_mmap to only allow DB user
mmapings at offset = 0. Check vm_pgoff for zero and if the mmaps are bound
to a single page.
Cc: <stable@kernel.org>
Fixes:
|
||
|---|---|---|
| .. | ||
| i40iw_cm.c | ||
| i40iw_cm.h | ||
| i40iw_ctrl.c | ||
| i40iw_d.h | ||
| i40iw_hmc.c | ||
| i40iw_hmc.h | ||
| i40iw_hw.c | ||
| i40iw_main.c | ||
| i40iw_osdep.h | ||
| i40iw_p.h | ||
| i40iw_pble.c | ||
| i40iw_pble.h | ||
| i40iw_puda.c | ||
| i40iw_puda.h | ||
| i40iw_register.h | ||
| i40iw_status.h | ||
| i40iw_type.h | ||
| i40iw_uk.c | ||
| i40iw_user.h | ||
| i40iw_utils.c | ||
| i40iw_verbs.c | ||
| i40iw_verbs.h | ||
| i40iw_vf.c | ||
| i40iw_vf.h | ||
| i40iw_virtchnl.c | ||
| i40iw_virtchnl.h | ||
| i40iw.h | ||
| Kconfig | ||
| Makefile | ||