• Faisal Latif's avatar
    RDMA/nes: Don't allow userspace QPs to use STag zero · c12e56ef
    Faisal Latif authored
    STag zero is a special STag that allows consumers to access any bus
    address without registering memory.  The nes driver unfortunately
    allows STag zero to be used even with QPs created by unprivileged
    userspace consumers, which means that any process with direct verbs
    access to the nes device can read and write any memory accessible to
    the underlying PCI device (usually any memory in the system).  Such
    access is usually given for cluster software such as MPI to use, so
    this is a local privilege escalation bug on most systems running this
    driver.
    
    The driver was using STag zero to receive the last streaming mode
    data; to allow STag zero to be disabled for unprivileged QPs, the
    driver now registers a special MR for this data.
    
    Cc: <stable@kernel.org>
    Signed-off-by: default avatarFaisal Latif <faisal.latif@intel.com>
    Signed-off-by: default avatarRoland Dreier <rolandd@cisco.com>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    c12e56ef
nes_verbs.c 116 KB