CVE-2024-26786

iommufd: Fix iopt_access_list_id overwrite bug

Severity Score

"-"

*CVSS v-

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved:

iommufd: Fix iopt_access_list_id overwrite bug

Syzkaller reported the following WARN_ON:
WARNING: CPU: 1 PID: 4738 at drivers/iommu/iommufd/io_pagetable.c:1360

Call Trace:
iommufd_access_change_ioas+0x2fe/0x4e0
iommufd_access_destroy_object+0x50/0xb0
iommufd_object_remove+0x2a3/0x490
iommufd_object_destroy_user
iommufd_access_destroy+0x71/0xb0
iommufd_test_staccess_release+0x89/0xd0
__fput+0x272/0xb50
__fput_sync+0x4b/0x60
__do_sys_close
__se_sys_close
__x64_sys_close+0x8b/0x110
do_syscall_x64

The mismatch between the access pointer in the list and the passed-in
pointer is resulting from an overwrite of access->iopt_access_list_id, in
iopt_add_access(). Called from iommufd_access_change_ioas() when
xa_alloc() succeeds but iopt_calculate_iova_alignment() fails.

Add a new_id in iopt_add_access() and only update iopt_access_list_id when
returning successfully.

En el kernel de Linux, se resolvió la siguiente vulnerabilidad: iommufd: corrige el error de sobrescritura de iopt_access_list_id Syzkaller informó lo siguiente WARN_ON: ADVERTENCIA: CPU: 1 PID: 4738 en drivers/iommu/iommufd/io_pagetable.c:1360 Seguimiento de llamadas: iommufd_access_change_ioas+0x2fe /0x4e0 iommufd_access_destroy_object+0x50/0xb0 iommufd_object_remove+0x2a3/0x490 iommufd_object_destroy_user iommufd_access_destroy+0x71/0xb0 iommufd_test_staccess_release+0x89/0xd0 __fput+0x272/0x b50 __fput_sync+0x4b/0x60 __do_sys_close __se_sys_close __x64_sys_close+0x8b/0x110 do_syscall_x64 La falta de coincidencia entre el puntero de acceso en la lista y el puntero pasado resulta de una sobrescritura de acceso->iopt_access_list_id, en iopt_add_access(). Llamado desde iommufd_access_change_ioas() cuando xa_alloc() tiene éxito pero iopt_calculate_iova_alignment() falla. Agregue un new_id en iopt_add_access() y actualice solo iopt_access_list_id cuando regrese exitosamente.

*Credits: N/A

CVSS Scores

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-02-19 CVE Reserved
2024-04-04 CVE Published
2024-04-05 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (4)

URL	Tag	Source
https://git.kernel.org/stable/c/9227da7816dd1a42e20d41e2244cb63c205477ca	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/f1fb745ee0a6fe43f1d84ec369c7e6af2310fda9	2024-03-06
https://git.kernel.org/stable/c/9526a46cc0c378d381560279bea9aa34c84298a0	2024-03-06
https://git.kernel.org/stable/c/aeb004c0cd6958e910123a1607634401009c9539	2024-02-26

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.6 < 6.6.21 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.6 < 6.6.21"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.6 < 6.7.9 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.6 < 6.7.9"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.6 < 6.8 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.6 < 6.8"		en		Affected