CVE-2023-52455

iommu: Don't reserve 0-length IOVA region

Severity Score

7.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

iommu: Don't reserve 0-length IOVA region

When the bootloader/firmware doesn't setup the framebuffers, their
address and size are 0 in "iommu-addresses" property. If IOVA region is
reserved with 0 length, then it ends up corrupting the IOVA rbtree with
an entry which has pfn_hi < pfn_lo.
If we intend to use display driver in kernel without framebuffer then
it's causing the display IOMMU mappings to fail as entire valid IOVA
space is reserved when address and length are passed as 0.
An ideal solution would be firmware removing the "iommu-addresses"
property and corresponding "memory-region" if display is not present.
But the kernel should be able to handle this by checking for size of
IOVA region and skipping the IOVA reservation if size is 0. Also, add
a warning if firmware is requesting 0-length IOVA region reservation.

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: iommu: no reservar región IOVA de longitud 0 Cuando el gestor de arranque/firmware no configura los framebuffers, su dirección y tamaño son 0 en la propiedad "iommu-addresses". Si la región IOVA está reservada con una longitud de 0, termina corrompiendo el rbtree de IOVA con una entrada que tiene pfn_hi < pfn_lo. Si pretendemos utilizar el controlador de pantalla en el kernel sin framebuffer, entonces las asignaciones IOMMU de pantalla fallarán ya que se reserva todo el espacio IOVA válido cuando la dirección y la longitud se pasan como 0. Una solución ideal sería que el firmware elimine la propiedad "iommu-addresses". y la "región de memoria" correspondiente si la pantalla no está presente. Pero el kernel debería poder manejar esto verificando el tamaño de la región IOVA y omitiendo la reserva de IOVA si el tamaño es 0. Además, agregue una advertencia si el firmware solicita una reserva de región IOVA de longitud 0.

*Credits: N/A

CVSS Scores

NISTv3.1 7.8

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-02-20 CVE Reserved
2024-02-23 CVE Published
2024-05-01 EPSS Updated
2024-09-11 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (4)

URL	Tag	Source
https://git.kernel.org/stable/c/a5bf3cfce8cb77d9d24613ab52d520896f83dd48	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/98b8a550da83cc392a14298c4b3eaaf0332ae6ad	2024-01-25
https://git.kernel.org/stable/c/5e23e283910c9f30248732ae0770bcb0c9438abf	2024-01-25
https://git.kernel.org/stable/c/bb57f6705960bebeb832142ce9abf43220c3eab1	2023-12-19

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.3 < 6.6.14 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.3 < 6.6.14"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.3 < 6.7.2 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.3 < 6.7.2"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.3 < 6.8 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.3 < 6.8"		en		Affected