CVE-2025-21724

iommufd/iova_bitmap: Fix shift-out-of-bounds in iova_bitmap_offset_to_index()

Severity Score

7.8

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In the Linux kernel, the following vulnerability has been resolved: iommufd/iova_bitmap: Fix shift-out-of-bounds in iova_bitmap_offset_to_index() Resolve a UBSAN shift-out-of-bounds issue in iova_bitmap_offset_to_index()
where shifting the constant "1" (of type int) by bitmap->mapped.pgshift
(an unsigned long value) could result in undefined behavior. The constant "1" defaults to a 32-bit "int", and when "pgshift" exceeds
31 (e.g., pgshift = 63) the shift operation overflows, as the result
cannot be represented in a 32-bit type. To resolve this, the constant is updated to "1UL", promoting it to an
unsigned long type to match the operand's type.

In the Linux kernel, the following vulnerability has been resolved: iommufd/iova_bitmap: Fix shift-out-of-bounds in iova_bitmap_offset_to_index() Resolve a UBSAN shift-out-of-bounds issue in iova_bitmap_offset_to_index() where shifting the constant "1" (of type int) by bitmap->mapped.pgshift (an unsigned long value) could result in undefined behavior. The constant "1" defaults to a 32-bit "int", and when "pgshift" exceeds 31 (e.g., pgshift = 63) the shift operation overflows, as the result cannot be represented in a 32-bit type. To resolve this, the constant is updated to "1UL", promoting it to an unsigned long type to match the operand's type.

*Credits: N/A

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2024-12-29 CVE Reserved
2025-02-27 CVE Published
2025-03-24 CVE Updated
2025-04-15 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CAPEC

References (6)

URL	Tag	Source
https://git.kernel.org/stable/c/58ccf0190d19d9a8a41f8a02b9e06742b58df4a1	Vuln. Introduced

URL	Date	SRC

URL	Date	SRC
https://git.kernel.org/stable/c/44d9c94b7a3f29a3e07c4753603a35e9b28842a3	2025-02-21
https://git.kernel.org/stable/c/38ac76fc06bc6826a3e4b12a98efbe98432380a9	2025-02-08
https://git.kernel.org/stable/c/d5d33f01b86af44b23eea61ee309e4ef22c0cdfe	2025-02-08
https://git.kernel.org/stable/c/b1f8453b8ff1ab79a03820ef608256c499769cb6	2025-02-08
https://git.kernel.org/stable/c/e24c1551059268b37f6f40639883eafb281b8b9c	2025-01-14

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.1 < 6.1.129 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.1 < 6.1.129"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.1 < 6.6.76 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.1 < 6.6.76"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.1 < 6.12.13 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.1 < 6.12.13"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.1 < 6.13.2 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.1 < 6.13.2"		en		Affected
Linux Search vendor "Linux"		Linux Kernel Search vendor "Linux" for product "Linux Kernel"				>= 6.1 < 6.14 Search vendor "Linux" for product "Linux Kernel" and version " >= 6.1 < 6.14"		en		Affected