ghsa-jv67-jxg9-q8v4
Vulnerability from github
Published
2024-04-04 09:30
Modified
2024-04-04 09:30
Details

In the Linux kernel, the following vulnerability has been resolved:

iommufd: Fix iopt_access_list_id overwrite bug

Syzkaller reported the following WARN_ON: WARNING: CPU: 1 PID: 4738 at drivers/iommu/iommufd/io_pagetable.c:1360

Call Trace: iommufd_access_change_ioas+0x2fe/0x4e0 iommufd_access_destroy_object+0x50/0xb0 iommufd_object_remove+0x2a3/0x490 iommufd_object_destroy_user iommufd_access_destroy+0x71/0xb0 iommufd_test_staccess_release+0x89/0xd0 __fput+0x272/0xb50 __fput_sync+0x4b/0x60 __do_sys_close __se_sys_close __x64_sys_close+0x8b/0x110 do_syscall_x64

The mismatch between the access pointer in the list and the passed-in pointer is resulting from an overwrite of access->iopt_access_list_id, in iopt_add_access(). Called from iommufd_access_change_ioas() when xa_alloc() succeeds but iopt_calculate_iova_alignment() fails.

Add a new_id in iopt_add_access() and only update iopt_access_list_id when returning successfully.

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2024-26786"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-04-04T09:15:08Z",
    "severity": null
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\niommufd: Fix iopt_access_list_id overwrite bug\n\nSyzkaller reported the following WARN_ON:\n  WARNING: CPU: 1 PID: 4738 at drivers/iommu/iommufd/io_pagetable.c:1360\n\n  Call Trace:\n   iommufd_access_change_ioas+0x2fe/0x4e0\n   iommufd_access_destroy_object+0x50/0xb0\n   iommufd_object_remove+0x2a3/0x490\n   iommufd_object_destroy_user\n   iommufd_access_destroy+0x71/0xb0\n   iommufd_test_staccess_release+0x89/0xd0\n   __fput+0x272/0xb50\n   __fput_sync+0x4b/0x60\n   __do_sys_close\n   __se_sys_close\n   __x64_sys_close+0x8b/0x110\n   do_syscall_x64\n\nThe mismatch between the access pointer in the list and the passed-in\npointer is resulting from an overwrite of access-\u003eiopt_access_list_id, in\niopt_add_access(). Called from iommufd_access_change_ioas() when\nxa_alloc() succeeds but iopt_calculate_iova_alignment() fails.\n\nAdd a new_id in iopt_add_access() and only update iopt_access_list_id when\nreturning successfully.",
  "id": "GHSA-jv67-jxg9-q8v4",
  "modified": "2024-04-04T09:30:35Z",
  "published": "2024-04-04T09:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26786"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/9526a46cc0c378d381560279bea9aa34c84298a0"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/aeb004c0cd6958e910123a1607634401009c9539"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/f1fb745ee0a6fe43f1d84ec369c7e6af2310fda9"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.