In the Linux kernel, the following vulnerability has been resolved: iommufd: Fix ioptaccesslistid overwrite bug Syzkaller reported the following WARNON: WARNING: CPU: 1 PID: 4738 at drivers/iommu/iommufd/iopagetable.c:1360 Call Trace: iommufdaccesschangeioas+0x2fe/0x4e0 iommufdaccessdestroyobject+0x50/0xb0 iommufdobjectremove+0x2a3/0x490 iommufdobjectdestroyuser iommufdaccessdestroy+0x71/0xb0 iommufdteststaccessrelease+0x89/0xd0 _fput+0x272/0xb50 _fputsync+0x4b/0x60 _dosysclose _sesysclose _x64sysclose+0x8b/0x110 dosyscallx64 The mismatch between the access pointer in the list and the passed-in pointer is resulting from an overwrite of access->ioptaccesslistid, in ioptaddaccess(). Called from iommufdaccesschangeioas() when xaalloc() succeeds but ioptcalculateiovaalignment() fails. Add a newid in ioptaddaccess() and only update ioptaccesslist_id when returning successfully.
{ "binaries": [ { "binary_name": "linux-buildinfo-6.8.0-2002-raspi-realtime", "binary_version": "6.8.0-2002.2" }, { "binary_name": "linux-headers-6.8.0-2002-raspi-realtime", "binary_version": "6.8.0-2002.2" }, { "binary_name": "linux-image-6.8.0-2002-raspi-realtime", "binary_version": "6.8.0-2002.2" }, { "binary_name": "linux-image-6.8.0-2002-raspi-realtime-dbgsym", "binary_version": "6.8.0-2002.2" }, { "binary_name": "linux-modules-6.8.0-2002-raspi-realtime", "binary_version": "6.8.0-2002.2" }, { "binary_name": "linux-raspi-realtime-headers-6.8.0-2002", "binary_version": "6.8.0-2002.2" }, { "binary_name": "linux-raspi-realtime-tools-6.8.0-2002", "binary_version": "6.8.0-2002.2" }, { "binary_name": "linux-tools-6.8.0-2002-raspi-realtime", "binary_version": "6.8.0-2002.2" } ], "availability": "Available with Ubuntu Pro: https://ubuntu.com/pro" }