CVE-2024-27079
iommu/vt-d: Fix NULL domain on device release
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
In the Linux kernel, the following vulnerability has been resolved:
iommu/vt-d: Fix NULL domain on device release
In the kdump kernel, the IOMMU operates in deferred_attach mode. In this
mode, info->domain may not yet be assigned by the time the release_device
function is called. It leads to the following crash in the crash kernel:
BUG: kernel NULL pointer dereference, address: 000000000000003c
...
RIP: 0010:do_raw_spin_lock+0xa/0xa0
...
_raw_spin_lock_irqsave+0x1b/0x30
intel_iommu_release_device+0x96/0x170
iommu_deinit_device+0x39/0xf0
__iommu_group_remove_device+0xa0/0xd0
iommu_bus_notifier+0x55/0xb0
notifier_call_chain+0x5a/0xd0
blocking_notifier_call_chain+0x41/0x60
bus_notify+0x34/0x50
device_del+0x269/0x3d0
pci_remove_bus_device+0x77/0x100
p2sb_bar+0xae/0x1d0
...
i801_probe+0x423/0x740
Use the release_domain mechanism to fix it. The scalable mode context
entry which is not part of release domain should be cleared in
release_device().
En el kernel de Linux, se resolvió la siguiente vulnerabilidad: iommu/vt-d: corrige el dominio NULL al lanzar el dispositivo. En el kernel kdump, IOMMU opera en modo deferred_attach. En este modo, es posible que info->dominio aún no esté asignado cuando se llama a la función release_device. Conduce al siguiente bloqueo en el kernel bloqueado: ERROR: desreferencia del puntero NULL del kernel, dirección: 000000000000003c ... RIP: 0010:do_raw_spin_lock+0xa/0xa0 ... _raw_spin_lock_irqsave+0x1b/0x30 intel_iommu_release_device+0x96/0x170 +0x39/ 0xf0 __iommu_group_remove_device+0xa0/0xd0 iommu_bus_notifier+0x55/0xb0 notifier_call_chain+0x5a/0xd0 blocking_notifier_call_chain+0x41/0x60 bus_notify+0x34/0x50 device_del+0x269/0x3d0 vice+0x77/0x100 p2sb_bar+0xae/0x1d0 ... i801_probe+0x423/0x740 Uso el mecanismo release_domain para solucionarlo. La entrada de contexto del modo escalable que no forma parte del dominio de lanzamiento debe borrarse en release_device().
CVSS Scores
SSVC
- Decision:Track
Timeline
- 2024-02-19 CVE Reserved
- 2024-05-01 CVE Published
- 2024-05-02 EPSS Updated
- 2024-11-05 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
CAPEC
References (5)
| URL | Tag | Source |
|---|---|---|
| https://git.kernel.org/stable/c/586081d3f6b13ec9dfdfdf3d7842a688b376fa5e | Vuln. Introduced |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://git.kernel.org/stable/c/333fe86968482ca701c609af590003bcea450e8f | 2024-03-26 | |
| https://git.kernel.org/stable/c/81e921fd321614c2ad8ac333b041aae1da7a1c6d | 2024-03-06 |
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/security/cve/CVE-2024-27079 | 2024-11-12 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2278492 | 2024-11-12 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.18 < 6.8.2 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.18 < 6.8.2" | en |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.18 < 6.9 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.18 < 6.9" | en |
Affected
| ||||||