CVE-2024-35957

En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: iommu/vt-d: corrige WARN_ON en la ruta de sondeo de iommu. La confirmación 1a75cc710b95 ("iommu/vt-d: usa rbtree para rastrear los dispositivos sondeados por iommu") agrega todos los dispositivos sondeados por iommu. controlador en un rbtree indexado por el ID de origen de cada dispositivo. Se supone que cada dispositivo tiene una identificación de fuente única. Esta suposición es incorrecta y la especificación VT-d tampoco establece este requisito. La razón para usar un rbtree para rastrear dispositivos es buscar el dispositivo con bus PCI y devfunc en las rutas de manejo del error de tiempo de espera de invalidación de ATS y las fallas de la página PRI I/O. Ambos están relacionados con la función PCI ATS. Realice un seguimiento únicamente de los dispositivos que tengan capacidades PCI ATS en el rbtree para evitar WARN_ON innecesario en la ruta de la sonda iommu. De lo contrario, en algunas plataformas inferiores al kernel se mostrará el símbolo y la sonda iommu dará como resultado un error. ADVERTENCIA: CPU: 3 PID: 166 en drivers/iommu/intel/iommu.c:158 intel_iommu_probe_device+0x319/0xd90 Seguimiento de llamadas: ? __warn+0x7e/0x180 ? intel_iommu_probe_device+0x319/0xd90? report_bug+0x1f8/0x200? handle_bug+0x3c/0x70? exc_invalid_op+0x18/0x70? asm_exc_invalid_op+0x1a/0x20? intel_iommu_probe_device+0x319/0xd90? debug_mutex_init+0x37/0x50 __iommu_probe_device+0xf2/0x4f0 iommu_probe_device+0x22/0x70 iommu_bus_notifier+0x1e/0x40 notifier_call_chain+0x46/0x150 blocking_notifier_call_chain+0x42/0x60 bus_notify+0 x2f/0x50 device_add+0x5ed/0x7e0 platform_device_add+0xf5/0x240 mfd_add_devices+0x3f9/0x500 ? preempt_count_add+0x4c/0xa0? up_write+0xa2/0x1b0? __debugfs_create_file+0xe3/0x150 intel_lpss_probe+0x49f/0x5b0? pci_conf1_write+0xa3/0xf0 intel_lpss_pci_probe+0xcf/0x110 [intel_lpss_pci] pci_device_probe+0x95/0x120 really_probe+0xd9/0x370? __pfx___driver_attach+0x10/0x10 __driver_probe_device+0x73/0x150 driver_probe_device+0x19/0xa0 __driver_attach+0xb6/0x180 ? __pfx___driver_attach+0x10/0x10 bus_for_each_dev+0x77/0xd0 bus_add_driver+0x114/0x210 driver_register+0x5b/0x110 ? __pfx_intel_lpss_pci_driver_init+0x10/0x10 [intel_lpss_pci] do_one_initcall+0x57/0x2b0? kmalloc_trace+0x21e/0x280? do_init_module+0x1e/0x210 do_init_module+0x5f/0x210 load_module+0x1d37/0x1fc0 ? init_module_from_file+0x86/0xd0 init_module_from_file+0x86/0xd0 idempotent_init_module+0x17c/0x230 __x64_sys_finit_module+0x56/0xb0 do_syscall_64+0x6e/0x140 Entry_SYSCALL_64_after_hwframe+0x71 /0x79

CVE-2024-35957 is a vulnerability in the Linux kernel's Intel Virtualization Technology for Directed I/O (VT-d) subsystem. The issue stems from an incorrect assumption that each device has a unique source ID, leading to potential conflicts and system warnings during the IOMMU probe process. This flaw has been addressed by modifying the tracking mechanism to include only devices with PCI Address Translation Services (ATS) capabilities, thereby preventing unnecessary warnings and ensuring system stability. Users are advised to update their Linux kernel to a version that includes this fix to maintain optimal system performance.

In the Linux kernel, the following vulnerability has been resolved: iommu/vt-d: Fix WARN_ON in iommu probe path Commit 1a75cc710b95 ("iommu/vt-d: Use rbtree to track iommu probed devices") adds all devices probed by the iommu driver in a rbtree indexed by the source ID of each device. It assumes that each device has a unique source ID. This assumption is incorrect and the VT-d spec doesn't state this requirement either. The reason for using a rbtree to track devices is to look up the device with PCI bus and devfunc in the paths of handling ATS invalidation time out error and the PRI I/O page faults. Both are PCI ATS feature related. Only track the devices that have PCI ATS capabilities in the rbtree to avoid unnecessary WARN_ON in the iommu probe path. Otherwise, on some platforms below kernel splat will be displayed and the iommu probe results in failure. WARNING: CPU: 3 PID: 166 at drivers/iommu/intel/iommu.c:158 intel_iommu_probe_device+0x319/0xd90 Call Trace: <TASK> ? __warn+0x7e/0x180 ? intel_iommu_probe_device+0x319/0xd90 ? report_bug+0x1f8/0x200 ? handle_bug+0x3c/0x70 ? exc_invalid_op+0x18/0x70 ? asm_exc_invalid_op+0x1a/0x20 ? intel_iommu_probe_device+0x319/0xd90 ? debug_mutex_init+0x37/0x50 __iommu_probe_device+0xf2/0x4f0 iommu_probe_device+0x22/0x70 iommu_bus_notifier+0x1e/0x40 notifier_call_chain+0x46/0x150 blocking_notifier_call_chain+0x42/0x60 bus_notify+0x2f/0x50 device_add+0x5ed/0x7e0 platform_device_add+0xf5/0x240 mfd_add_devices+0x3f9/0x500 ? preempt_count_add+0x4c/0xa0 ? up_write+0xa2/0x1b0 ? __debugfs_create_file+0xe3/0x150 intel_lpss_probe+0x49f/0x5b0 ? pci_conf1_write+0xa3/0xf0 intel_lpss_pci_probe+0xcf/0x110 [intel_lpss_pci] pci_device_probe+0x95/0x120 really_probe+0xd9/0x370 ? __pfx___driver_attach+0x10/0x10 __driver_probe_device+0x73/0x150 driver_probe_device+0x19/0xa0 __driver_attach+0xb6/0x180 ? __pfx___driver_attach+0x10/0x10 bus_for_each_dev+0x77/0xd0 bus_add_driver+0x114/0x210 driver_register+0x5b/0x110 ? __pfx_intel_lpss_pci_driver_init+0x10/0x10 [intel_lpss_pci] do_one_initcall+0x57/0x2b0 ? kmalloc_trace+0x21e/0x280 ? do_init_module+0x1e/0x210 do_init_module+0x5f/0x210 load_module+0x1d37/0x1fc0 ? init_module_from_file+0x86/0xd0 init_module_from_file+0x86/0xd0 idempotent_init_module+0x17c/0x230 __x64_sys_finit_module+0x56/0xb0 do_syscall_64+0x6e/0x140 entry_SYSCALL_64_after_hwframe+0x71/0x79