| From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001 |
| From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| To: <linux-cve-announce@vger.kernel.org> |
| Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org> |
| Subject: CVE-2024-56668: iommu/vt-d: Fix qi_batch NULL pointer with nested parent domain |
| |
| Description |
| =========== |
| |
| In the Linux kernel, the following vulnerability has been resolved: |
| |
| iommu/vt-d: Fix qi_batch NULL pointer with nested parent domain |
| |
| The qi_batch is allocated when assigning cache tag for a domain. While |
| for nested parent domain, it is missed. Hence, when trying to map pages |
| to the nested parent, NULL dereference occurred. Also, there is potential |
| memleak since there is no lock around domain->qi_batch allocation. |
| |
| To solve it, add a helper for qi_batch allocation, and call it in both |
| the __cache_tag_assign_domain() and __cache_tag_assign_parent_domain(). |
| |
| BUG: kernel NULL pointer dereference, address: 0000000000000200 |
| #PF: supervisor read access in kernel mode |
| #PF: error_code(0x0000) - not-present page |
| PGD 8104795067 P4D 0 |
| Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI |
| CPU: 223 UID: 0 PID: 4357 Comm: qemu-system-x86 Not tainted 6.13.0-rc1-00028-g4b50c3c3b998-dirty #2632 |
| Call Trace: |
| ? __die+0x24/0x70 |
| ? page_fault_oops+0x80/0x150 |
| ? do_user_addr_fault+0x63/0x7b0 |
| ? exc_page_fault+0x7c/0x220 |
| ? asm_exc_page_fault+0x26/0x30 |
| ? cache_tag_flush_range_np+0x13c/0x260 |
| intel_iommu_iotlb_sync_map+0x1a/0x30 |
| iommu_map+0x61/0xf0 |
| batch_to_domain+0x188/0x250 |
| iopt_area_fill_domains+0x125/0x320 |
| ? rcu_is_watching+0x11/0x50 |
| iopt_map_pages+0x63/0x100 |
| iopt_map_common.isra.0+0xa7/0x190 |
| iopt_map_user_pages+0x6a/0x80 |
| iommufd_ioas_map+0xcd/0x1d0 |
| iommufd_fops_ioctl+0x118/0x1c0 |
| __x64_sys_ioctl+0x93/0xc0 |
| do_syscall_64+0x71/0x140 |
| entry_SYSCALL_64_after_hwframe+0x76/0x7e |
| |
| The Linux kernel CVE team has assigned CVE-2024-56668 to this issue. |
| |
| |
| Affected and fixed versions |
| =========================== |
| |
| Issue introduced in 6.12 with commit 705c1cdf1e73c4c727bbfc8775434e6dd36e8baf and fixed in 6.12.6 with commit ffd774c34774fd4cc0e9cf2976595623a6c3a077 |
| Issue introduced in 6.12 with commit 705c1cdf1e73c4c727bbfc8775434e6dd36e8baf and fixed in 6.13 with commit 74536f91962d5f6af0a42414773ce61e653c10ee |
| |
| Please see https://www.kernel.org for a full list of currently supported |
| kernel versions by the kernel community. |
| |
| Unaffected versions might change over time as fixes are backported to |
| older supported kernel versions. The official CVE entry at |
| https://cve.org/CVERecord/?id=CVE-2024-56668 |
| will be updated if fixes are backported, please check that for the most |
| up to date information about this issue. |
| |
| |
| Affected files |
| ============== |
| |
| The file(s) affected by this issue are: |
| drivers/iommu/intel/cache.c |
| |
| |
| Mitigation |
| ========== |
| |
| The Linux kernel CVE team recommends that you update to the latest |
| stable kernel version for this, and many other bugfixes. Individual |
| changes are never tested alone, but rather are part of a larger kernel |
| release. Cherry-picking individual commits is not recommended or |
| supported by the Linux kernel community at all. If however, updating to |
| the latest release is impossible, the individual changes to resolve this |
| issue can be found at these commits: |
| https://git.kernel.org/stable/c/ffd774c34774fd4cc0e9cf2976595623a6c3a077 |
| https://git.kernel.org/stable/c/74536f91962d5f6af0a42414773ce61e653c10ee |
