CVE-2025-38062 (GCVE-0-2025-38062)
Vulnerability from cvelistv5
Published
2025-06-18 09:33
Modified
2025-06-18 09:33
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: genirq/msi: Store the IOMMU IOVA directly in msi_desc instead of iommu_cookie The IOMMU translation for MSI message addresses has been a 2-step process, separated in time: 1) iommu_dma_prepare_msi(): A cookie pointer containing the IOVA address is stored in the MSI descriptor when an MSI interrupt is allocated. 2) iommu_dma_compose_msi_msg(): this cookie pointer is used to compute a translated message address. This has an inherent lifetime problem for the pointer stored in the cookie that must remain valid between the two steps. However, there is no locking at the irq layer that helps protect the lifetime. Today, this works under the assumption that the iommu domain is not changed while MSI interrupts being programmed. This is true for normal DMA API users within the kernel, as the iommu domain is attached before the driver is probed and cannot be changed while a driver is attached. Classic VFIO type1 also prevented changing the iommu domain while VFIO was running as it does not support changing the "container" after starting up. However, iommufd has improved this so that the iommu domain can be changed during VFIO operation. This potentially allows userspace to directly race VFIO_DEVICE_ATTACH_IOMMUFD_PT (which calls iommu_attach_group()) and VFIO_DEVICE_SET_IRQS (which calls into iommu_dma_compose_msi_msg()). This potentially causes both the cookie pointer and the unlocked call to iommu_get_domain_for_dev() on the MSI translation path to become UAFs. Fix the MSI cookie UAF by removing the cookie pointer. The translated IOVA address is already known during iommu_dma_prepare_msi() and cannot change. Thus, it can simply be stored as an integer in the MSI descriptor. The other UAF related to iommu_get_domain_for_dev() will be addressed in patch "iommu: Make iommu_dma_prepare_msi() into a generic operation" by using the IOMMU group mutex.
References
Impacted products
Vendor Product Version
Linux Linux Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
Version: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/iommu/dma-iommu.c",
            "include/linux/msi.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e4d3763223c7b72ded53425207075e7453b4e3d5",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "ba41e4e627db51d914444aee0b93eb67f31fa330",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "53f42776e435f63e5f8e61955e4c205dbfeaf524",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "856152eb91e67858a09e30a7149a1f29b04b7384",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "1f7df3a691740a7736bbc99dc4ed536120eb4746",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/iommu/dma-iommu.c",
            "include/linux/msi.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.141",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.93",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.31",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.141",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.93",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.31",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngenirq/msi: Store the IOMMU IOVA directly in msi_desc instead of iommu_cookie\n\nThe IOMMU translation for MSI message addresses has been a 2-step process,\nseparated in time:\n\n 1) iommu_dma_prepare_msi(): A cookie pointer containing the IOVA address\n    is stored in the MSI descriptor when an MSI interrupt is allocated.\n\n 2) iommu_dma_compose_msi_msg(): this cookie pointer is used to compute a\n    translated message address.\n\nThis has an inherent lifetime problem for the pointer stored in the cookie\nthat must remain valid between the two steps. However, there is no locking\nat the irq layer that helps protect the lifetime. Today, this works under\nthe assumption that the iommu domain is not changed while MSI interrupts\nbeing programmed. This is true for normal DMA API users within the kernel,\nas the iommu domain is attached before the driver is probed and cannot be\nchanged while a driver is attached.\n\nClassic VFIO type1 also prevented changing the iommu domain while VFIO was\nrunning as it does not support changing the \"container\" after starting up.\n\nHowever, iommufd has improved this so that the iommu domain can be changed\nduring VFIO operation. This potentially allows userspace to directly race\nVFIO_DEVICE_ATTACH_IOMMUFD_PT (which calls iommu_attach_group()) and\nVFIO_DEVICE_SET_IRQS (which calls into iommu_dma_compose_msi_msg()).\n\nThis potentially causes both the cookie pointer and the unlocked call to\niommu_get_domain_for_dev() on the MSI translation path to become UAFs.\n\nFix the MSI cookie UAF by removing the cookie pointer. The translated IOVA\naddress is already known during iommu_dma_prepare_msi() and cannot change.\nThus, it can simply be stored as an integer in the MSI descriptor.\n\nThe other UAF related to iommu_get_domain_for_dev() will be addressed in\npatch \"iommu: Make iommu_dma_prepare_msi() into a generic operation\" by\nusing the IOMMU group mutex."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-18T09:33:41.282Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e4d3763223c7b72ded53425207075e7453b4e3d5"
        },
        {
          "url": "https://git.kernel.org/stable/c/ba41e4e627db51d914444aee0b93eb67f31fa330"
        },
        {
          "url": "https://git.kernel.org/stable/c/53f42776e435f63e5f8e61955e4c205dbfeaf524"
        },
        {
          "url": "https://git.kernel.org/stable/c/856152eb91e67858a09e30a7149a1f29b04b7384"
        },
        {
          "url": "https://git.kernel.org/stable/c/1f7df3a691740a7736bbc99dc4ed536120eb4746"
        }
      ],
      "title": "genirq/msi: Store the IOMMU IOVA directly in msi_desc instead of iommu_cookie",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38062",
    "datePublished": "2025-06-18T09:33:41.282Z",
    "dateReserved": "2025-04-16T04:51:23.979Z",
    "dateUpdated": "2025-06-18T09:33:41.282Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-38062\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-06-18T10:15:39.080\",\"lastModified\":\"2025-06-18T13:46:52.973\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\ngenirq/msi: Store the IOMMU IOVA directly in msi_desc instead of iommu_cookie\\n\\nThe IOMMU translation for MSI message addresses has been a 2-step process,\\nseparated in time:\\n\\n 1) iommu_dma_prepare_msi(): A cookie pointer containing the IOVA address\\n    is stored in the MSI descriptor when an MSI interrupt is allocated.\\n\\n 2) iommu_dma_compose_msi_msg(): this cookie pointer is used to compute a\\n    translated message address.\\n\\nThis has an inherent lifetime problem for the pointer stored in the cookie\\nthat must remain valid between the two steps. However, there is no locking\\nat the irq layer that helps protect the lifetime. Today, this works under\\nthe assumption that the iommu domain is not changed while MSI interrupts\\nbeing programmed. This is true for normal DMA API users within the kernel,\\nas the iommu domain is attached before the driver is probed and cannot be\\nchanged while a driver is attached.\\n\\nClassic VFIO type1 also prevented changing the iommu domain while VFIO was\\nrunning as it does not support changing the \\\"container\\\" after starting up.\\n\\nHowever, iommufd has improved this so that the iommu domain can be changed\\nduring VFIO operation. This potentially allows userspace to directly race\\nVFIO_DEVICE_ATTACH_IOMMUFD_PT (which calls iommu_attach_group()) and\\nVFIO_DEVICE_SET_IRQS (which calls into iommu_dma_compose_msi_msg()).\\n\\nThis potentially causes both the cookie pointer and the unlocked call to\\niommu_get_domain_for_dev() on the MSI translation path to become UAFs.\\n\\nFix the MSI cookie UAF by removing the cookie pointer. The translated IOVA\\naddress is already known during iommu_dma_prepare_msi() and cannot change.\\nThus, it can simply be stored as an integer in the MSI descriptor.\\n\\nThe other UAF related to iommu_get_domain_for_dev() will be addressed in\\npatch \\\"iommu: Make iommu_dma_prepare_msi() into a generic operation\\\" by\\nusing the IOMMU group mutex.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: genirq/msi: Almacenar el IOVA de IOMMU directamente en msi_desc en lugar de en iommu_cookie La traducci\u00f3n de IOMMU para direcciones de mensajes MSI ha sido un proceso de 2 pasos, separados en el tiempo: 1) iommu_dma_prepare_msi(): Un puntero de cookie que contiene la direcci\u00f3n IOVA se almacena en el descriptor MSI cuando se asigna una interrupci\u00f3n MSI. 2) iommu_dma_compose_msi_msg(): este puntero de cookie se utiliza para calcular una direcci\u00f3n de mensaje traducida. Esto tiene un problema de vida \u00fatil inherente para el puntero almacenado en la cookie que debe seguir siendo v\u00e1lido entre los dos pasos. Sin embargo, no hay bloqueo en la capa irq que ayude a proteger la vida \u00fatil. Hoy en d\u00eda, esto funciona bajo el supuesto de que el dominio iommu no cambia mientras se programan las interrupciones MSI. Esto aplica a los usuarios normales de la API de DMA dentro del kernel, ya que el dominio iommu se conecta antes de sondear el controlador y no se puede cambiar mientras est\u00e9 conectado. El tipo 1 de VFIO cl\u00e1sico tambi\u00e9n imped\u00eda cambiar el dominio iommu mientras VFIO se ejecutaba, ya que no admite cambiar el \\\"contenedor\\\" despu\u00e9s del inicio. Sin embargo, iommufd ha mejorado esto para que el dominio iommu se pueda cambiar durante la operaci\u00f3n de VFIO. Esto potencialmente permite que el espacio de usuario compita directamente con VFIO_DEVICE_ATTACH_IOMMUFD_PT (que llama a iommu_attach_group()) y VFIO_DEVICE_SET_IRQS (que llama a iommu_dma_compose_msi_msg()). Esto potencialmente provoca que tanto el puntero de cookie como la llamada desbloqueada a iommu_get_domain_for_dev() en la ruta de traducci\u00f3n MSI se conviertan en UAF. Corrija el UAF de la cookie MSI eliminando el puntero de cookie. La direcci\u00f3n IOVA traducida ya se conoce durante iommu_dma_prepare_msi() y no puede modificarse. Por lo tanto, puede almacenarse simplemente como un entero en el descriptor MSI. El resto de UAF relacionado con iommu_get_domain_for_dev() se abordar\u00e1 en el parche \\\"iommu: Convertir iommu_dma_prepare_msi() en una operaci\u00f3n gen\u00e9rica\\\" mediante el mutex del grupo IOMMU.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/1f7df3a691740a7736bbc99dc4ed536120eb4746\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/53f42776e435f63e5f8e61955e4c205dbfeaf524\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/856152eb91e67858a09e30a7149a1f29b04b7384\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/ba41e4e627db51d914444aee0b93eb67f31fa330\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/e4d3763223c7b72ded53425207075e7453b4e3d5\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.