CVE-2024-35814

Commit bbb73a103fbb ("swiotlb: fix a braino in the alignment check fix"), which was a fix for commit 0eee5ae10256 ("swiotlb: fix slot alignment checks"), causes a functional regression with vsock in a virtual machine using bouncing via a restricted DMA SWIOTLB pool.

When virtio allocates the virtqueues for the vsock device using dmaalloccoherent(), the SWIOTLB search can return page-unaligned allocations if 'area->index' was left unaligned by a previous allocation from the buffer:

# Final address in brackets is the SWIOTLB address returned to the caller | virtio-pci 0000:00:07.0: origaddr 0x0 allocsize 0x2000, iotlbalignmask 0x800 stride 0x2: got slot 1645-1649/7168 (0x98326800) | virtio-pci 0000:00:07.0: origaddr 0x0 allocsize 0x2000, iotlbalignmask 0x800 stride 0x2: got slot 1649-1653/7168 (0x98328800) | virtio-pci 0000:00:07.0: origaddr 0x0 allocsize 0x2000, iotlbalignmask 0x800 stride 0x2: got slot 1653-1657/7168 (0x9832a800)

This ends badly (typically buffer corruption and/or a hang) because swiotlb_alloc() is expecting a page-aligned allocation and so blindly returns a pointer to the 'struct page' corresponding to the allocation, therefore double-allocating the first half (2KiB slot) of the 4KiB page.

Fix the problem by treating the allocation alignment separately to any additional alignment requirements from the device, using the maximum of the two as the stride to search the buffer slots and taking care to ensure a minimum of page-alignment for buffers larger than a page.

This also resolves swiotlb allocation failures occuring due to the inclusion of ~PAGEMASK in 'iotlbalignmask' for large allocations and resulting in alignment requirements exceeding swiotlbmaxmappingsize().

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

0eee5ae1025699ea93d44fdb6ef2365505082103

Fixed

3e7acd6e25ba77dde48c3b721c54c89cd6a10534

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

0eee5ae1025699ea93d44fdb6ef2365505082103

Fixed

c88668aa6c1da240ea3eb4d128b7906e740d3cb8

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

0eee5ae1025699ea93d44fdb6ef2365505082103

Fixed

777391743771040e12cc40d3d0d178f70c616491

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

0eee5ae1025699ea93d44fdb6ef2365505082103

Fixed

04867a7a33324c9c562ee7949dbcaab7aaad1fb4

Affected versions

v6.*

v6.3

v6.3-rc3

v6.3-rc4

v6.3-rc5

v6.3-rc6

v6.3-rc7

v6.4

v6.4-rc1

v6.4-rc2

v6.4-rc3

v6.4-rc4

v6.4-rc5

v6.4-rc6

v6.4-rc7

v6.5

v6.5-rc1

v6.5-rc2

v6.5-rc3

v6.5-rc4

v6.5-rc5

v6.5-rc6

v6.5-rc7

v6.6

v6.6-rc1

v6.6-rc2

v6.6-rc3

v6.6-rc4

v6.6-rc5

v6.6-rc6

v6.6-rc7

v6.6.1

v6.6.10

v6.6.11

v6.6.12

v6.6.13

v6.6.14

v6.6.15

v6.6.16

v6.6.17

v6.6.18

v6.6.19

v6.6.2

v6.6.20

v6.6.21

v6.6.22

v6.6.23

v6.6.3

v6.6.4

v6.6.5

v6.6.6

v6.6.7

v6.6.8

v6.6.9

v6.7

v6.7-rc1

v6.7-rc2

v6.7-rc3

v6.7-rc4

v6.7-rc5

v6.7-rc6

v6.7-rc7

v6.7-rc8

v6.7.1

v6.7.10

v6.7.11

v6.7.2

v6.7.3

v6.7.4

v6.7.5

v6.7.6

v6.7.7

v6.7.8

v6.7.9

v6.8

v6.8-rc1

v6.8-rc2

v6.8-rc3

v6.8-rc4

v6.8-rc5

v6.8-rc6

v6.8-rc7

v6.8.1

v6.8.2

Database specific

vanir_signatures

[
    {
        "target": {
            "function": "swiotlb_area_find_slots",
            "file": "kernel/dma/swiotlb.c"
        },
        "id": "CVE-2024-35814-137b2289",
        "signature_type": "Function",
        "signature_version": "v1",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c88668aa6c1da240ea3eb4d128b7906e740d3cb8",
        "digest": {
            "function_hash": "112734023914588076329245913264631229386",
            "length": 1812.0
        }
    },
    {
        "target": {
            "file": "kernel/dma/swiotlb.c"
        },
        "id": "CVE-2024-35814-57f376d1",
        "signature_type": "Line",
        "signature_version": "v1",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@777391743771040e12cc40d3d0d178f70c616491",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "141809747422596749645344250932421305956",
                "15668583442597282186908771637318225002",
                "64664072020176105894416501962476727491",
                "306207721564870634736245503058623126528",
                "207309411181545598013998989762141622779",
                "332971036597091219978537383672900569790",
                "337422004510381186317375631405865394739",
                "123169930027449981126263912719391948893",
                "6545723262418058322455154193714917436",
                "314536636229162028634570022783102102428",
                "43857754476153108130097212155868992093",
                "21310507988635172777168385517297803619",
                "50045070106905708259584511861028186973",
                "3249448087535400412548453358681463836",
                "18992931685686454792688617089405320736",
                "222959591489977148682101016815570757375",
                "104789271629638725263116484805355760879",
                "148774247730175994250834650707873262155",
                "160491680382802564263223179228378225116"
            ]
        }
    },
    {
        "target": {
            "function": "swiotlb_search_pool_area",
            "file": "kernel/dma/swiotlb.c"
        },
        "id": "CVE-2024-35814-91cfaf8d",
        "signature_type": "Function",
        "signature_version": "v1",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@777391743771040e12cc40d3d0d178f70c616491",
        "digest": {
            "function_hash": "112734023914588076329245913264631229386",
            "length": 1812.0
        }
    },
    {
        "target": {
            "file": "kernel/dma/swiotlb.c"
        },
        "id": "CVE-2024-35814-9b6152e5",
        "signature_type": "Line",
        "signature_version": "v1",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@c88668aa6c1da240ea3eb4d128b7906e740d3cb8",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "141809747422596749645344250932421305956",
                "15668583442597282186908771637318225002",
                "64664072020176105894416501962476727491",
                "306207721564870634736245503058623126528",
                "207309411181545598013998989762141622779",
                "332971036597091219978537383672900569790",
                "337422004510381186317375631405865394739",
                "123169930027449981126263912719391948893",
                "6545723262418058322455154193714917436",
                "314536636229162028634570022783102102428",
                "43857754476153108130097212155868992093",
                "21310507988635172777168385517297803619",
                "50045070106905708259584511861028186973",
                "3249448087535400412548453358681463836",
                "18992931685686454792688617089405320736",
                "222959591489977148682101016815570757375",
                "104789271629638725263116484805355760879",
                "148774247730175994250834650707873262155",
                "160491680382802564263223179228378225116"
            ]
        }
    },
    {
        "target": {
            "function": "swiotlb_area_find_slots",
            "file": "kernel/dma/swiotlb.c"
        },
        "id": "CVE-2024-35814-a0ceb349",
        "signature_type": "Function",
        "signature_version": "v1",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3e7acd6e25ba77dde48c3b721c54c89cd6a10534",
        "digest": {
            "function_hash": "112734023914588076329245913264631229386",
            "length": 1812.0
        }
    },
    {
        "target": {
            "file": "kernel/dma/swiotlb.c"
        },
        "id": "CVE-2024-35814-cebfb374",
        "signature_type": "Line",
        "signature_version": "v1",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@04867a7a33324c9c562ee7949dbcaab7aaad1fb4",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "141809747422596749645344250932421305956",
                "15668583442597282186908771637318225002",
                "64664072020176105894416501962476727491",
                "306207721564870634736245503058623126528",
                "207309411181545598013998989762141622779",
                "332971036597091219978537383672900569790",
                "337422004510381186317375631405865394739",
                "123169930027449981126263912719391948893",
                "6545723262418058322455154193714917436",
                "314536636229162028634570022783102102428",
                "43857754476153108130097212155868992093",
                "21310507988635172777168385517297803619",
                "50045070106905708259584511861028186973",
                "3249448087535400412548453358681463836",
                "18992931685686454792688617089405320736",
                "222959591489977148682101016815570757375",
                "104789271629638725263116484805355760879",
                "148774247730175994250834650707873262155",
                "160491680382802564263223179228378225116"
            ]
        }
    },
    {
        "target": {
            "function": "swiotlb_search_pool_area",
            "file": "kernel/dma/swiotlb.c"
        },
        "id": "CVE-2024-35814-ee9e4af6",
        "signature_type": "Function",
        "signature_version": "v1",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@04867a7a33324c9c562ee7949dbcaab7aaad1fb4",
        "digest": {
            "function_hash": "112734023914588076329245913264631229386",
            "length": 1812.0
        }
    },
    {
        "target": {
            "file": "kernel/dma/swiotlb.c"
        },
        "id": "CVE-2024-35814-f9e4d88f",
        "signature_type": "Line",
        "signature_version": "v1",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@3e7acd6e25ba77dde48c3b721c54c89cd6a10534",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "141809747422596749645344250932421305956",
                "15668583442597282186908771637318225002",
                "64664072020176105894416501962476727491",
                "306207721564870634736245503058623126528",
                "207309411181545598013998989762141622779",
                "332971036597091219978537383672900569790",
                "337422004510381186317375631405865394739",
                "123169930027449981126263912719391948893",
                "6545723262418058322455154193714917436",
                "314536636229162028634570022783102102428",
                "43857754476153108130097212155868992093",
                "21310507988635172777168385517297803619",
                "50045070106905708259584511861028186973",
                "3249448087535400412548453358681463836",
                "18992931685686454792688617089405320736",
                "222959591489977148682101016815570757375",
                "104789271629638725263116484805355760879",
                "148774247730175994250834650707873262155",
                "160491680382802564263223179228378225116"
            ]
        }
    }
]

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.3.0

Fixed

6.6.24

Type: ECOSYSTEM
Events: Introduced

6.7.0

Fixed

6.7.12

Type: ECOSYSTEM
Events: Introduced

6.8.0

Fixed

6.8.3