{"vulnerability": "CVE-2024-41070", "sightings": [{"uuid": "362ba028-05e7-456e-86c2-96433ed639dc", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-41070", "type": "seen", "source": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-226-07", "content": "", "creation_timestamp": "2025-08-14T10:00:00.000000Z"}, {"uuid": "5e4fae45-3563-4bbb-922d-eefcc39b4ee0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-41070", "type": "seen", "source": "https://t.me/cvedetector/1869", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-41070 - KVM powerpc PPCHV Use-After-Free\", \n  \"Content\": \"CVE ID : CVE-2024-41070 \nPublished : July 29, 2024, 3:15 p.m. | 35\u00a0minutes ago \nDescription : In the Linux kernel, the following vulnerability has been resolved:  \n  \nKVM: PPC: Book3S HV: Prevent UAF in kvm_spapr_tce_attach_iommu_group()  \n  \nAl reported a possible use-after-free (UAF) in kvm_spapr_tce_attach_iommu_group().  \n  \nIt looks up `stt` from tablefd, but then continues to use it after doing  \nfdput() on the returned fd. After the fdput() the tablefd is free to be  \nclosed by another thread. The close calls kvm_spapr_tce_release() and  \nthen release_spapr_tce_table() (via call_rcu()) which frees `stt`.  \n  \nAlthough there are calls to rcu_read_lock() in  \nkvm_spapr_tce_attach_iommu_group() they are not sufficient to prevent  \nthe UAF, because `stt` is used outside the locked regions.  \n  \nWith an artifcial delay after the fdput() and a userspace program which  \ntriggers the race, KASAN detects the UAF:  \n  \n  BUG: KASAN: slab-use-after-free in kvm_spapr_tce_attach_iommu_group+0x298/0x720 [kvm]  \n  Read of size 4 at addr c000200027552c30 by task kvm-vfio/2505  \n  CPU: 54 PID: 2505 Comm: kvm-vfio Not tainted 6.10.0-rc3-next-20240612-dirty #1  \n  Hardware name: 8335-GTH POWER9 0x4e1202 opal:skiboot-v6.5.3-35-g1851b2a06 PowerNV  \n  Call Trace:  \n    dump_stack_lvl+0xb4/0x108 (unreliable)  \n    print_report+0x2b4/0x6ec  \n    kasan_report+0x118/0x2b0  \n    __asan_load4+0xb8/0xd0  \n    kvm_spapr_tce_attach_iommu_group+0x298/0x720 [kvm]  \n    kvm_vfio_set_attr+0x524/0xac0 [kvm]  \n    kvm_device_ioctl+0x144/0x240 [kvm]  \n    sys_ioctl+0x62c/0x1810  \n    system_call_exception+0x190/0x440  \n    system_call_vectored_common+0x15c/0x2ec  \n  ...  \n  Freed by task 0:  \n   ...  \n   kfree+0xec/0x3e0  \n   release_spapr_tce_table+0xd4/0x11c [kvm]  \n   rcu_core+0x568/0x16a0  \n   handle_softirqs+0x23c/0x920  \n   do_softirq_own_stack+0x6c/0x90  \n   do_softirq_own_stack+0x58/0x90  \n   __irq_exit_rcu+0x218/0x2d0  \n   irq_exit+0x30/0x80  \n   arch_local_irq_restore+0x128/0x230  \n   arch_local_irq_enable+0x1c/0x30  \n   cpuidle_enter_state+0x134/0x5cc  \n   cpuidle_enter+0x6c/0xb0  \n   call_cpuidle+0x7c/0x100  \n   do_idle+0x394/0x410  \n   cpu_startup_entry+0x60/0x70  \n   start_secondary+0x3fc/0x410  \n   start_secondary_prolog+0x10/0x14  \n  \nFix it by delaying the fdput() until `stt` is no longer in use, which  \nis effectively the entire function. To keep the patch minimal add a call  \nto fdput() at each of the existing return paths. Future work can convert  \nthe function to goto or __cleanup style cleanup.  \n  \nWith the fix in place the test case no longer triggers the UAF. \nSeverity: 0.0 | NA \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"29 Jul 2024\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-07-29T17:58:14.000000Z"}]}