CVE-2024-47719

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-47719
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-47719.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-47719
Downstream
Related
Published
2024-10-21T11:53:49Z
Modified
2025-10-17T13:24:11.456685Z
Summary
iommufd: Protect against overflow of ALIGN() during iova allocation
Details

In the Linux kernel, the following vulnerability has been resolved:

iommufd: Protect against overflow of ALIGN() during iova allocation

Userspace can supply an iova and uptr such that the target iova alignment becomes really big and ALIGN() overflows which corrupts the selected area range during allocation. CONFIGIOMMUFDTEST can detect this:

WARNING: CPU: 1 PID: 5092 at drivers/iommu/iommufd/iopagetable.c:268 ioptallocareapages drivers/iommu/iommufd/iopagetable.c:268 [inline] WARNING: CPU: 1 PID: 5092 at drivers/iommu/iommufd/iopagetable.c:268 ioptmappages+0xf95/0x1050 drivers/iommu/iommufd/iopagetable.c:352 Modules linked in: CPU: 1 PID: 5092 Comm: syz-executor294 Not tainted 6.10.0-rc5-syzkaller-00294-g3ffea9a7a6f7 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024 RIP: 0010:ioptallocareapages drivers/iommu/iommufd/iopagetable.c:268 [inline] RIP: 0010:ioptmappages+0xf95/0x1050 drivers/iommu/iommufd/iopagetable.c:352 Code: fc e9 a4 f3 ff ff e8 1a 8b 4c fc 41 be e4 ff ff ff e9 8a f3 ff ff e8 0a 8b 4c fc 90 0f 0b 90 e9 37 f5 ff ff e8 fc 8a 4c fc 90 <0f> 0b 90 e9 68 f3 ff ff 48 c7 c1 ec 82 ad 8f 80 e1 07 80 c1 03 38 RSP: 0018:ffffc90003ebf9e0 EFLAGS: 00010293 RAX: ffffffff85499fa4 RBX: 00000000ffffffef RCX: ffff888079b49e00 RDX: 0000000000000000 RSI: 00000000ffffffef RDI: 0000000000000000 RBP: ffffc90003ebfc50 R08: ffffffff85499b30 R09: ffffffff85499942 R10: 0000000000000002 R11: ffff888079b49e00 R12: ffff8880228e0010 R13: 0000000000000000 R14: 1ffff920007d7f68 R15: ffffc90003ebfd00 FS: 000055557d760380(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000005fdeb8 CR3: 000000007404a000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> iommufdioascopy+0x610/0x7b0 drivers/iommu/iommufd/ioas.c:274 iommufdfopsioctl+0x4d9/0x5a0 drivers/iommu/iommufd/main.c:421 vfsioctl fs/ioctl.c:51 [inline] _dosysioctl fs/ioctl.c:907 [inline] _sesysioctl+0xfc/0x170 fs/ioctl.c:893 dosyscallx64 arch/x86/entry/common.c:52 [inline] dosyscall64+0xf3/0x230 arch/x86/entry/common.c:83 entrySYSCALL64after_hwframe+0x77/0x7f

Cap the automatic alignment to the huge page size, which is probably a better idea overall. Huge automatic alignments can fragment and chew up the available IOVA space without any reason.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
51fe6141f0f64ae0bbc096a41a07572273e8c0ef
Fixed
cd6dd564ae7d99967ef50078216929418160b30e
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
51fe6141f0f64ae0bbc096a41a07572273e8c0ef
Fixed
a6e9f9fd14772c0b23c6d1d7002d98f9d27cb1f6
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
51fe6141f0f64ae0bbc096a41a07572273e8c0ef
Fixed
72b78287ce92802e8ba678181a34b84ae844a112
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
51fe6141f0f64ae0bbc096a41a07572273e8c0ef
Fixed
8f6887349b2f829a4121c518aeb064fc922714e4

Affected versions

v6.*

v6.1
v6.1-rc4
v6.1-rc5
v6.1-rc6
v6.1-rc7
v6.1-rc8
v6.10
v6.10-rc1
v6.10-rc2
v6.10-rc3
v6.10-rc4
v6.10-rc5
v6.10-rc6
v6.10-rc7
v6.10.1
v6.10.10
v6.10.11
v6.10.12
v6.10.2
v6.10.3
v6.10.4
v6.10.5
v6.10.6
v6.10.7
v6.10.8
v6.10.9
v6.11
v6.11-rc1
v6.11-rc2
v6.11-rc3
v6.11-rc4
v6.11-rc5
v6.11-rc6
v6.11-rc7
v6.11.1
v6.2
v6.2-rc1
v6.2-rc2
v6.2-rc3
v6.2-rc4
v6.2-rc5
v6.2-rc6
v6.2-rc7
v6.2-rc8
v6.3
v6.3-rc1
v6.3-rc2
v6.3-rc3
v6.3-rc4
v6.3-rc5
v6.3-rc6
v6.3-rc7
v6.4
v6.4-rc1
v6.4-rc2
v6.4-rc3
v6.4-rc4
v6.4-rc5
v6.4-rc6
v6.4-rc7
v6.5
v6.5-rc1
v6.5-rc2
v6.5-rc3
v6.5-rc4
v6.5-rc5
v6.5-rc6
v6.5-rc7
v6.6
v6.6-rc1
v6.6-rc2
v6.6-rc3
v6.6-rc4
v6.6-rc5
v6.6-rc6
v6.6-rc7
v6.6.1
v6.6.10
v6.6.11
v6.6.12
v6.6.13
v6.6.14
v6.6.15
v6.6.16
v6.6.17
v6.6.18
v6.6.19
v6.6.2
v6.6.20
v6.6.21
v6.6.22
v6.6.23
v6.6.24
v6.6.25
v6.6.26
v6.6.27
v6.6.28
v6.6.29
v6.6.3
v6.6.30
v6.6.31
v6.6.32
v6.6.33
v6.6.34
v6.6.35
v6.6.36
v6.6.37
v6.6.38
v6.6.39
v6.6.4
v6.6.40
v6.6.41
v6.6.42
v6.6.43
v6.6.44
v6.6.45
v6.6.46
v6.6.47
v6.6.48
v6.6.49
v6.6.5
v6.6.50
v6.6.51
v6.6.52
v6.6.53
v6.6.6
v6.6.7
v6.6.8
v6.6.9
v6.7
v6.7-rc1
v6.7-rc2
v6.7-rc3
v6.7-rc4
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.8
v6.8-rc1
v6.8-rc2
v6.8-rc3
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.9
v6.9-rc1
v6.9-rc2
v6.9-rc3
v6.9-rc4
v6.9-rc5
v6.9-rc6
v6.9-rc7

Database specific

vanir_signatures

[
    {
        "signature_version": "v1",
        "target": {
            "file": "drivers/iommu/iommufd/io_pagetable.c"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@cd6dd564ae7d99967ef50078216929418160b30e",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "20461792575963937289392615807260749224",
                "318756276212497883246146576870303894777",
                "335540333259506090333076731579657227332",
                "79928046854349235894209586753168336133",
                "62883309672302375116686621059572197312",
                "111082748219077505253368607795012212352",
                "168562616984397419740839894656310645286"
            ]
        },
        "deprecated": false,
        "id": "CVE-2024-47719-293ad790",
        "signature_type": "Line"
    },
    {
        "signature_version": "v1",
        "target": {
            "function": "iopt_alloc_iova",
            "file": "drivers/iommu/iommufd/io_pagetable.c"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a6e9f9fd14772c0b23c6d1d7002d98f9d27cb1f6",
        "digest": {
            "length": 1049.0,
            "function_hash": "99928484248538344791347498393460680865"
        },
        "deprecated": false,
        "id": "CVE-2024-47719-2c69d796",
        "signature_type": "Function"
    },
    {
        "signature_version": "v1",
        "target": {
            "function": "iopt_alloc_iova",
            "file": "drivers/iommu/iommufd/io_pagetable.c"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8f6887349b2f829a4121c518aeb064fc922714e4",
        "digest": {
            "length": 1049.0,
            "function_hash": "99928484248538344791347498393460680865"
        },
        "deprecated": false,
        "id": "CVE-2024-47719-421c22f1",
        "signature_type": "Function"
    },
    {
        "signature_version": "v1",
        "target": {
            "function": "iopt_alloc_iova",
            "file": "drivers/iommu/iommufd/io_pagetable.c"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@cd6dd564ae7d99967ef50078216929418160b30e",
        "digest": {
            "length": 1049.0,
            "function_hash": "99928484248538344791347498393460680865"
        },
        "deprecated": false,
        "id": "CVE-2024-47719-596dcc3f",
        "signature_type": "Function"
    },
    {
        "signature_version": "v1",
        "target": {
            "file": "drivers/iommu/iommufd/io_pagetable.c"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@a6e9f9fd14772c0b23c6d1d7002d98f9d27cb1f6",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "20461792575963937289392615807260749224",
                "318756276212497883246146576870303894777",
                "335540333259506090333076731579657227332",
                "79928046854349235894209586753168336133",
                "62883309672302375116686621059572197312",
                "111082748219077505253368607795012212352",
                "168562616984397419740839894656310645286"
            ]
        },
        "deprecated": false,
        "id": "CVE-2024-47719-9f775004",
        "signature_type": "Line"
    },
    {
        "signature_version": "v1",
        "target": {
            "function": "iopt_alloc_iova",
            "file": "drivers/iommu/iommufd/io_pagetable.c"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@72b78287ce92802e8ba678181a34b84ae844a112",
        "digest": {
            "length": 1049.0,
            "function_hash": "99928484248538344791347498393460680865"
        },
        "deprecated": false,
        "id": "CVE-2024-47719-a80ab626",
        "signature_type": "Function"
    },
    {
        "signature_version": "v1",
        "target": {
            "file": "drivers/iommu/iommufd/io_pagetable.c"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@72b78287ce92802e8ba678181a34b84ae844a112",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "20461792575963937289392615807260749224",
                "318756276212497883246146576870303894777",
                "335540333259506090333076731579657227332",
                "79928046854349235894209586753168336133",
                "62883309672302375116686621059572197312",
                "111082748219077505253368607795012212352",
                "168562616984397419740839894656310645286"
            ]
        },
        "deprecated": false,
        "id": "CVE-2024-47719-d14b9b29",
        "signature_type": "Line"
    },
    {
        "signature_version": "v1",
        "target": {
            "file": "drivers/iommu/iommufd/io_pagetable.c"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8f6887349b2f829a4121c518aeb064fc922714e4",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "20461792575963937289392615807260749224",
                "318756276212497883246146576870303894777",
                "335540333259506090333076731579657227332",
                "79928046854349235894209586753168336133",
                "62883309672302375116686621059572197312",
                "111082748219077505253368607795012212352",
                "168562616984397419740839894656310645286"
            ]
        },
        "deprecated": false,
        "id": "CVE-2024-47719-f3c664a2",
        "signature_type": "Line"
    }
]

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.2.0
Fixed
6.6.54
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.10.13
Type
ECOSYSTEM
Events
Introduced
6.11.0
Fixed
6.11.2