CVE-2024-47719

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> iommufd: Protect against overflow of ALIGN() during iova allocation<br /> <br /> Userspace can supply an iova and uptr such that the target iova alignment<br /> becomes really big and ALIGN() overflows which corrupts the selected area<br /> range during allocation. CONFIG_IOMMUFD_TEST can detect this:<br /> <br /> WARNING: CPU: 1 PID: 5092 at drivers/iommu/iommufd/io_pagetable.c:268 iopt_alloc_area_pages drivers/iommu/iommufd/io_pagetable.c:268 [inline]<br /> WARNING: CPU: 1 PID: 5092 at drivers/iommu/iommufd/io_pagetable.c:268 iopt_map_pages+0xf95/0x1050 drivers/iommu/iommufd/io_pagetable.c:352<br /> Modules linked in:<br /> CPU: 1 PID: 5092 Comm: syz-executor294 Not tainted 6.10.0-rc5-syzkaller-00294-g3ffea9a7a6f7 #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/07/2024<br /> RIP: 0010:iopt_alloc_area_pages drivers/iommu/iommufd/io_pagetable.c:268 [inline]<br /> RIP: 0010:iopt_map_pages+0xf95/0x1050 drivers/iommu/iommufd/io_pagetable.c:352<br /> Code: fc e9 a4 f3 ff ff e8 1a 8b 4c fc 41 be e4 ff ff ff e9 8a f3 ff ff e8 0a 8b 4c fc 90 0f 0b 90 e9 37 f5 ff ff e8 fc 8a 4c fc 90 0b 90 e9 68 f3 ff ff 48 c7 c1 ec 82 ad 8f 80 e1 07 80 c1 03 38<br /> RSP: 0018:ffffc90003ebf9e0 EFLAGS: 00010293<br /> RAX: ffffffff85499fa4 RBX: 00000000ffffffef RCX: ffff888079b49e00<br /> RDX: 0000000000000000 RSI: 00000000ffffffef RDI: 0000000000000000<br /> RBP: ffffc90003ebfc50 R08: ffffffff85499b30 R09: ffffffff85499942<br /> R10: 0000000000000002 R11: ffff888079b49e00 R12: ffff8880228e0010<br /> R13: 0000000000000000 R14: 1ffff920007d7f68 R15: ffffc90003ebfd00<br /> FS: 000055557d760380(0000) GS:ffff8880b9500000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 00000000005fdeb8 CR3: 000000007404a000 CR4: 00000000003506f0<br /> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000<br /> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400<br /> Call Trace:<br /> <br /> iommufd_ioas_copy+0x610/0x7b0 drivers/iommu/iommufd/ioas.c:274<br /> iommufd_fops_ioctl+0x4d9/0x5a0 drivers/iommu/iommufd/main.c:421<br /> vfs_ioctl fs/ioctl.c:51 [inline]<br /> __do_sys_ioctl fs/ioctl.c:907 [inline]<br /> __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893<br /> do_syscall_x64 arch/x86/entry/common.c:52 [inline]<br /> do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83<br /> entry_SYSCALL_64_after_hwframe+0x77/0x7f<br /> <br /> Cap the automatic alignment to the huge page size, which is probably a<br /> better idea overall. Huge automatic alignments can fragment and chew up<br /> the available IOVA space without any reason.