CVE-2024-47748

vhost_vdpa: assign irq bypass producer token correctly

Severity Score

"-"

*CVSS v-

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

MITRE

In the Linux kernel, the following vulnerability has been resolved:

vhost_vdpa: assign irq bypass producer token correctly

We used to call irq_bypass_unregister_producer() in
vhost_vdpa_setup_vq_irq() which is problematic as we don't know if the
token pointer is still valid or not.

Actually, we use the eventfd_ctx as the token so the life cycle of the
token should be bound to the VHOST_SET_VRING_CALL instead of
vhost_vdpa_setup_vq_irq() which could be called by set_status().

Fixing this by setting up irq bypass producer's token when handling
VHOST_SET_VRING_CALL and un-registering the producer before calling
vhost_vring_ioctl() to prevent a possible use after free as eventfd
could have been released in vhost_vring_ioctl(). And such registering
and unregistering will only be done if DRIVER_OK is set.

*Credits: N/A

CVSS Scores

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-09-30 CVE Reserved
2024-10-21 CVE Published
2024-10-21 CVE Updated
2024-10-22 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (8)

URL	Tag	Source
https://git.kernel.org/stable/c/2cf1ba9a4d15cb78b96ea97f727b93382c3f9a60	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/0c170b1e918b9afac25e2bbd01eaa2bfc0ece8c0	2024-10-17
https://git.kernel.org/stable/c/927a2580208e0f9b0b47b08f1c802b7233a7ba3c	2024-10-17
https://git.kernel.org/stable/c/ec5f1b54ceb23475049ada6e7a43452cf4df88d1	2024-10-17
https://git.kernel.org/stable/c/ca64edd7ae93402af2596a952e0d94d545e2b9c0	2024-10-04
https://git.kernel.org/stable/c/fae9b1776f53aab93ab345bdbf653b991aed717d	2024-10-04
https://git.kernel.org/stable/c/7cf2fb51175cafe01df8c43fa15a06194a59c6e2	2024-10-04
https://git.kernel.org/stable/c/02e9e9366fefe461719da5d173385b6685f70319	2024-09-10

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.9 < 5.10.227 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.9 < 5.10.227"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.9 < 5.15.168 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.9 < 5.15.168"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.9 < 6.1.113 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.9 < 6.1.113"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.9 < 6.6.54 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.9 < 6.6.54"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.9 < 6.10.13 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.9 < 6.10.13"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.9 < 6.11.2 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.9 < 6.11.2"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 5.9 < 6.12-rc1 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.9 < 6.12-rc1"		en		Affected