CVE-2024-26786

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-26786
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-26786.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-26786
Downstream
Related
Published
2024-04-04T08:20:19Z
Modified
2025-10-09T05:13:31.620220Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
iommufd: Fix iopt_access_list_id overwrite bug
Details

In the Linux kernel, the following vulnerability has been resolved:

iommufd: Fix ioptaccesslist_id overwrite bug

Syzkaller reported the following WARNON: WARNING: CPU: 1 PID: 4738 at drivers/iommu/iommufd/iopagetable.c:1360

Call Trace: iommufdaccesschangeioas+0x2fe/0x4e0 iommufdaccessdestroyobject+0x50/0xb0 iommufdobjectremove+0x2a3/0x490 iommufdobjectdestroyuser iommufdaccessdestroy+0x71/0xb0 iommufdteststaccessrelease+0x89/0xd0 _fput+0x272/0xb50 _fputsync+0x4b/0x60 _dosysclose _sesysclose _x64sysclose+0x8b/0x110 dosyscallx64

The mismatch between the access pointer in the list and the passed-in pointer is resulting from an overwrite of access->ioptaccesslistid, in ioptaddaccess(). Called from iommufdaccesschangeioas() when xaalloc() succeeds but ioptcalculateiovaalignment() fails.

Add a newid in ioptaddaccess() and only update ioptaccesslistid when returning successfully.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
9227da7816dd1a42e20d41e2244cb63c205477ca
Fixed
f1fb745ee0a6fe43f1d84ec369c7e6af2310fda9
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
9227da7816dd1a42e20d41e2244cb63c205477ca
Fixed
9526a46cc0c378d381560279bea9aa34c84298a0
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
9227da7816dd1a42e20d41e2244cb63c205477ca
Fixed
aeb004c0cd6958e910123a1607634401009c9539

Affected versions

v6.*

v6.5
v6.5-rc4
v6.5-rc5
v6.5-rc6
v6.5-rc7
v6.6
v6.6-rc1
v6.6-rc2
v6.6-rc3
v6.6-rc4
v6.6-rc5
v6.6-rc6
v6.6-rc7
v6.6.1
v6.6.10
v6.6.11
v6.6.12
v6.6.13
v6.6.14
v6.6.15
v6.6.16
v6.6.17
v6.6.18
v6.6.19
v6.6.2
v6.6.20
v6.6.3
v6.6.4
v6.6.5
v6.6.6
v6.6.7
v6.6.8
v6.6.9
v6.7
v6.7-rc1
v6.7-rc2
v6.7-rc3
v6.7-rc4
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.7.1
v6.7.2
v6.7.3
v6.7.4
v6.7.5
v6.7.6
v6.7.7
v6.7.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.6.0
Fixed
6.6.21
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.7.9