1.5 KiB
CVE-2024-35843
Description
In the Linux kernel, the following vulnerability has been resolved:iommu/vt-d: Use device rbtree in iopf reporting pathThe existing I/O page fault handler currently locates the PCI device bycalling pci_get_domain_bus_and_slot(). This function searches the listof all PCI devices until the desired device is found. To improve lookupefficiency, replace it with device_rbtree_find() to search the devicewithin the probed device rbtree.The I/O page fault is initiated by the device, which does not have anysynchronization mechanism with the software to ensure that the devicestays in the probed device tree. Theoretically, a device could be releasedby the IOMMU subsystem after device_rbtree_find() and beforeiopf_get_dev_fault_param(), which would cause a use-after-free problem.Add a mutex to synchronize the I/O page fault reporting path and the IOMMUrelease device path. This lock doesn't introduce any performance overhead,as the conflict between I/O page fault reporting and device releasing isvery rare.
POC
Reference
No PoCs from references.