CVE-2023-52455
iommu: Don't reserve 0-length IOVA region
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
In the Linux kernel, the following vulnerability has been resolved:
iommu: Don't reserve 0-length IOVA region
When the bootloader/firmware doesn't setup the framebuffers, their
address and size are 0 in "iommu-addresses" property. If IOVA region is
reserved with 0 length, then it ends up corrupting the IOVA rbtree with
an entry which has pfn_hi < pfn_lo.
If we intend to use display driver in kernel without framebuffer then
it's causing the display IOMMU mappings to fail as entire valid IOVA
space is reserved when address and length are passed as 0.
An ideal solution would be firmware removing the "iommu-addresses"
property and corresponding "memory-region" if display is not present.
But the kernel should be able to handle this by checking for size of
IOVA region and skipping the IOVA reservation if size is 0. Also, add
a warning if firmware is requesting 0-length IOVA region reservation.
En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: iommu: no reservar región IOVA de longitud 0 Cuando el gestor de arranque/firmware no configura los framebuffers, su dirección y tamaño son 0 en la propiedad "iommu-addresses". Si la región IOVA está reservada con una longitud de 0, termina corrompiendo el rbtree de IOVA con una entrada que tiene pfn_hi < pfn_lo. Si pretendemos utilizar el controlador de pantalla en el kernel sin framebuffer, entonces las asignaciones IOMMU de pantalla fallarán ya que se reserva todo el espacio IOVA válido cuando la dirección y la longitud se pasan como 0. Una solución ideal sería que el firmware elimine la propiedad "iommu-addresses". y la "región de memoria" correspondiente si la pantalla no está presente. Pero el kernel debería poder manejar esto verificando el tamaño de la región IOVA y omitiendo la reserva de IOVA si el tamaño es 0. Además, agregue una advertencia si el firmware solicita una reserva de región IOVA de longitud 0.
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2024-02-20 CVE Reserved
- 2024-02-23 CVE Published
- 2024-05-01 EPSS Updated
- 2024-09-11 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
CAPEC
References (4)
URL | Tag | Source |
---|---|---|
https://git.kernel.org/stable/c/a5bf3cfce8cb77d9d24613ab52d520896f83dd48 | Vuln. Introduced |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 6.3 < 6.6.14 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.3 < 6.6.14" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 6.3 < 6.7.2 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.3 < 6.7.2" | en |
Affected
| ||||||
Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 6.3 < 6.8 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.3 < 6.8" | en |
Affected
|