ghsa-7hpx-3fcf-fxr2
Vulnerability from github
Published
2024-12-27 15:31
Modified
2025-01-06 18:31
Severity ?
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Details

In the Linux kernel, the following vulnerability has been resolved:

iommu/vt-d: Fix qi_batch NULL pointer with nested parent domain

The qi_batch is allocated when assigning cache tag for a domain. While for nested parent domain, it is missed. Hence, when trying to map pages to the nested parent, NULL dereference occurred. Also, there is potential memleak since there is no lock around domain->qi_batch allocation.

To solve it, add a helper for qi_batch allocation, and call it in both the __cache_tag_assign_domain() and __cache_tag_assign_parent_domain().

BUG: kernel NULL pointer dereference, address: 0000000000000200 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 8104795067 P4D 0 Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 223 UID: 0 PID: 4357 Comm: qemu-system-x86 Not tainted 6.13.0-rc1-00028-g4b50c3c3b998-dirty #2632 Call Trace: ? __die+0x24/0x70 ? page_fault_oops+0x80/0x150 ? do_user_addr_fault+0x63/0x7b0 ? exc_page_fault+0x7c/0x220 ? asm_exc_page_fault+0x26/0x30 ? cache_tag_flush_range_np+0x13c/0x260 intel_iommu_iotlb_sync_map+0x1a/0x30 iommu_map+0x61/0xf0 batch_to_domain+0x188/0x250 iopt_area_fill_domains+0x125/0x320 ? rcu_is_watching+0x11/0x50 iopt_map_pages+0x63/0x100 iopt_map_common.isra.0+0xa7/0x190 iopt_map_user_pages+0x6a/0x80 iommufd_ioas_map+0xcd/0x1d0 iommufd_fops_ioctl+0x118/0x1c0 __x64_sys_ioctl+0x93/0xc0 do_syscall_64+0x71/0x140 entry_SYSCALL_64_after_hwframe+0x76/0x7e

Show details on source website

To clipboard 

{
  "affected": [],
  "aliases": [
    "CVE-2024-56668"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-12-27T15:15:26Z",
    "severity": "MODERATE"
  },
  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/vt-d: Fix qi_batch NULL pointer with nested parent domain\n\nThe qi_batch is allocated when assigning cache tag for a domain. While\nfor nested parent domain, it is missed. Hence, when trying to map pages\nto the nested parent, NULL dereference occurred. Also, there is potential\nmemleak since there is no lock around domain-\u003eqi_batch allocation.\n\nTo solve it, add a helper for qi_batch allocation, and call it in both\nthe __cache_tag_assign_domain() and __cache_tag_assign_parent_domain().\n\n  BUG: kernel NULL pointer dereference, address: 0000000000000200\n  #PF: supervisor read access in kernel mode\n  #PF: error_code(0x0000) - not-present page\n  PGD 8104795067 P4D 0\n  Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI\n  CPU: 223 UID: 0 PID: 4357 Comm: qemu-system-x86 Not tainted 6.13.0-rc1-00028-g4b50c3c3b998-dirty #2632\n  Call Trace:\n   ? __die+0x24/0x70\n   ? page_fault_oops+0x80/0x150\n   ? do_user_addr_fault+0x63/0x7b0\n   ? exc_page_fault+0x7c/0x220\n   ? asm_exc_page_fault+0x26/0x30\n   ? cache_tag_flush_range_np+0x13c/0x260\n   intel_iommu_iotlb_sync_map+0x1a/0x30\n   iommu_map+0x61/0xf0\n   batch_to_domain+0x188/0x250\n   iopt_area_fill_domains+0x125/0x320\n   ? rcu_is_watching+0x11/0x50\n   iopt_map_pages+0x63/0x100\n   iopt_map_common.isra.0+0xa7/0x190\n   iopt_map_user_pages+0x6a/0x80\n   iommufd_ioas_map+0xcd/0x1d0\n   iommufd_fops_ioctl+0x118/0x1c0\n   __x64_sys_ioctl+0x93/0xc0\n   do_syscall_64+0x71/0x140\n   entry_SYSCALL_64_after_hwframe+0x76/0x7e",
  "id": "GHSA-7hpx-3fcf-fxr2",
  "modified": "2025-01-06T18:31:00Z",
  "published": "2024-12-27T15:31:56Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56668"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/74536f91962d5f6af0a42414773ce61e653c10ee"
    },
    {
      "type": "WEB",
      "url": "https://git.kernel.org/stable/c/ffd774c34774fd4cc0e9cf2976595623a6c3a077"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.