1.5 KiB
CVE-2024-47748
Description
In the Linux kernel, the following vulnerability has been resolved:vhost_vdpa: assign irq bypass producer token correctlyWe used to call irq_bypass_unregister_producer() invhost_vdpa_setup_vq_irq() which is problematic as we don't know if thetoken pointer is still valid or not.Actually, we use the eventfd_ctx as the token so the life cycle of thetoken should be bound to the VHOST_SET_VRING_CALL instead ofvhost_vdpa_setup_vq_irq() which could be called by set_status().Fixing this by setting up irq bypass producer's token when handlingVHOST_SET_VRING_CALL and un-registering the producer before callingvhost_vring_ioctl() to prevent a possible use after free as eventfdcould have been released in vhost_vring_ioctl(). And such registeringand unregistering will only be done if DRIVER_OK is set.
POC
Reference
No PoCs from references.