CVE-2024-53214

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2024-53214
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-53214.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-53214
Downstream
Related
Published
2024-12-27T13:49:59.555Z
Modified
2026-03-11T07:49:48.129746Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
vfio/pci: Properly hide first-in-list PCIe extended capability
Details

In the Linux kernel, the following vulnerability has been resolved:

vfio/pci: Properly hide first-in-list PCIe extended capability

There are cases where a PCIe extended capability should be hidden from the user. For example, an unknown capability (i.e., capability with ID greater than PCIEXTCAPIDMAX) or a capability that is intentionally chosen to be hidden from the user.

Hiding a capability is done by virtualizing and modifying the 'Next Capability Offset' field of the previous capability so it points to the capability after the one that should be hidden.

The special case where the first capability in the list should be hidden is handled differently because there is no previous capability that can be modified. In this case, the capability ID and version are zeroed while leaving the next pointer intact. This hides the capability and leaves an anchor for the rest of the capability list.

However, today, hiding the first capability in the list is not done properly if the capability is unknown, as struct vfiopcicoredevice->pciconfigmap is set to the capability ID during initialization but the capability ID is not properly checked later when used in vfioconfigdorw(). This leads to the following warning [1] and to an out-of-bounds access to ecap_perms array.

Fix it by checking capid in vfioconfigdorw(), and if it is greater than PCIEXTCAPIDMAX, use an alternative struct permbits for direct read only access instead of the ecapperms array.

Note that this is safe since the above is the only case where capid can exceed PCIEXTCAPID_MAX (except for the special capabilities, which are already checked before).

[1]

WARNING: CPU: 118 PID: 5329 at drivers/vfio/pci/vfiopciconfig.c:1900 vfiopciconfigrw+0x395/0x430 [vfiopcicore] CPU: 118 UID: 0 PID: 5329 Comm: simx-qemu-syste Not tainted 6.12.0+ #1 (snip) Call Trace: <TASK> ? showregs+0x69/0x80 ? __warn+0x8d/0x140 ? vfiopciconfig_rw+0x395/0x430 [vfiopcicore] ? reportbug+0x18f/0x1a0 ? handlebug+0x63/0xa0 ? excinvalidop+0x19/0x70 ? asmexcinvalidop+0x1b/0x20 ? vfiopciconfigrw+0x395/0x430 [vfiopcicore] ? vfiopciconfigrw+0x244/0x430 [vfiopcicore] vfiopcirw+0x101/0x1b0 [vfiopcicore] vfiopcicoreread+0x1d/0x30 [vfiopcicore] vfiodevicefopsread+0x27/0x40 [vfio] vfsread+0xbd/0x340 ? vfiodevicefopsunlioctl+0xbb/0x740 [vfio] ? __rseqhandlenotify_resume+0xa4/0x4b0 __x64syspread64+0x96/0xc0 x64syscall+0x1c3d/0x20d0 dosyscall64+0x4d/0x120 entrySYSCALL64afterhwframe+0x76/0x7e

Database specific 
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/53xxx/CVE-2024-53214.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
89e1f7d4c66d85f42c3d52ea3866eb10cadf6153
Fixed
4464e5aa3aa4574063640f1082f7d7e323af8eb4
Fixed
7d121f66b67921fb3b95e0ea9856bfba53733e91
Fixed
0918f5643fc6c3f7801f4a22397d2cc09ba99207
Fixed
9567bd34aa3b986736c290c5bcba47e0182ac47a
Fixed
6c6502d944168cbd7e03a4a08ad6488f78d73485
Fixed
06f2fcf49854ad05a09d09e0dbee6544fff04695
Fixed
949bee8065a85a5c6607c624dc05b5bc17119699
Fixed
1ef195178fb552478eb2587df4ad3be14ef76507
Fixed
fe4bf8d0b6716a423b16495d55b35d3fe515905d

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-53214.json"