CVE-2024-26786

Description

In the Linux kernel, the following vulnerability has been resolved: iommufd: Fix iopt_access_list_id overwrite bug Syzkaller reported the following WARN_ON: WARNING: CPU: 1 PID: 4738 at drivers/iommu/iommufd/io_pagetable.c:1360 Call Trace: iommufd_access_change_ioas+0x2fe/0x4e0 iommufd_access_destroy_object+0x50/0xb0 iommufd_object_remove+0x2a3/0x490 iommufd_object_destroy_user iommufd_access_destroy+0x71/0xb0 iommufd_test_staccess_release+0x89/0xd0 __fput+0x272/0xb50 __fput_sync+0x4b/0x60 __do_sys_close __se_sys_close __x64_sys_close+0x8b/0x110 do_syscall_x64 The mismatch between the access pointer in the list and the passed-in pointer is resulting from an overwrite of access->iopt_access_list_id, in iopt_add_access(). Called from iommufd_access_change_ioas() when xa_alloc() succeeds but iopt_calculate_iova_alignment() fails. Add a new_id in iopt_add_access() and only update iopt_access_list_id when returning successfully.

Reserved 2024-02-19 | Published 2024-04-04 | Updated 2024-12-19 | Assigner Linux

Product status

Default status
unaffected

9227da7816dd1a42e20d41e2244cb63c205477ca before f1fb745ee0a6fe43f1d84ec369c7e6af2310fda9
affected

9227da7816dd1a42e20d41e2244cb63c205477ca before 9526a46cc0c378d381560279bea9aa34c84298a0
affected

9227da7816dd1a42e20d41e2244cb63c205477ca before aeb004c0cd6958e910123a1607634401009c9539
affected

Default status
affected

6.6
affected

Any version before 6.6
unaffected

6.6.21
unaffected

6.7.9
unaffected

6.8
unaffected

References

git.kernel.org/...c/f1fb745ee0a6fe43f1d84ec369c7e6af2310fda9

git.kernel.org/...c/9526a46cc0c378d381560279bea9aa34c84298a0

git.kernel.org/...c/aeb004c0cd6958e910123a1607634401009c9539

cve.org (CVE-2024-26786)

nvd.nist.gov (CVE-2024-26786)

Download JSON