CVE-2024-47748

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-47748
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-47748.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-47748
Downstream
Related
Published
2024-10-21T13:15:04Z
Modified
2025-08-09T20:01:27Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

vhost_vdpa: assign irq bypass producer token correctly

We used to call irqbypassunregisterproducer() in vhostvdpasetupvq_irq() which is problematic as we don't know if the token pointer is still valid or not.

Actually, we use the eventfdctx as the token so the life cycle of the token should be bound to the VHOSTSETVRINGCALL instead of vhostvdpasetupvqirq() which could be called by set_status().

Fixing this by setting up irq bypass producer's token when handling VHOSTSETVRINGCALL and un-registering the producer before calling vhostvringioctl() to prevent a possible use after free as eventfd could have been released in vhostvringioctl(). And such registering and unregistering will only be done if DRIVEROK is set.

References

Affected packages