CVE-2024-53214

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> vfio/pci: Properly hide first-in-list PCIe extended capability<br /> <br /> There are cases where a PCIe extended capability should be hidden from<br /> the user. For example, an unknown capability (i.e., capability with ID<br /> greater than PCI_EXT_CAP_ID_MAX) or a capability that is intentionally<br /> chosen to be hidden from the user.<br /> <br /> Hiding a capability is done by virtualizing and modifying the &amp;#39;Next<br /> Capability Offset&amp;#39; field of the previous capability so it points to the<br /> capability after the one that should be hidden.<br /> <br /> The special case where the first capability in the list should be hidden<br /> is handled differently because there is no previous capability that can<br /> be modified. In this case, the capability ID and version are zeroed<br /> while leaving the next pointer intact. This hides the capability and<br /> leaves an anchor for the rest of the capability list.<br /> <br /> However, today, hiding the first capability in the list is not done<br /> properly if the capability is unknown, as struct<br /> vfio_pci_core_device-&gt;pci_config_map is set to the capability ID during<br /> initialization but the capability ID is not properly checked later when<br /> used in vfio_config_do_rw(). This leads to the following warning [1] and<br /> to an out-of-bounds access to ecap_perms array.<br /> <br /> Fix it by checking cap_id in vfio_config_do_rw(), and if it is greater<br /> than PCI_EXT_CAP_ID_MAX, use an alternative struct perm_bits for direct<br /> read only access instead of the ecap_perms array.<br /> <br /> Note that this is safe since the above is the only case where cap_id can<br /> exceed PCI_EXT_CAP_ID_MAX (except for the special capabilities, which<br /> are already checked before).<br /> <br /> [1]<br /> <br /> WARNING: CPU: 118 PID: 5329 at drivers/vfio/pci/vfio_pci_config.c:1900 vfio_pci_config_rw+0x395/0x430 [vfio_pci_core]<br /> CPU: 118 UID: 0 PID: 5329 Comm: simx-qemu-syste Not tainted 6.12.0+ #1<br /> (snip)<br /> Call Trace:<br /> <br /> ? show_regs+0x69/0x80<br /> ? __warn+0x8d/0x140<br /> ? vfio_pci_config_rw+0x395/0x430 [vfio_pci_core]<br /> ? report_bug+0x18f/0x1a0<br /> ? handle_bug+0x63/0xa0<br /> ? exc_invalid_op+0x19/0x70<br /> ? asm_exc_invalid_op+0x1b/0x20<br /> ? vfio_pci_config_rw+0x395/0x430 [vfio_pci_core]<br /> ? vfio_pci_config_rw+0x244/0x430 [vfio_pci_core]<br /> vfio_pci_rw+0x101/0x1b0 [vfio_pci_core]<br /> vfio_pci_core_read+0x1d/0x30 [vfio_pci_core]<br /> vfio_device_fops_read+0x27/0x40 [vfio]<br /> vfs_read+0xbd/0x340<br /> ? vfio_device_fops_unl_ioctl+0xbb/0x740 [vfio]<br /> ? __rseq_handle_notify_resume+0xa4/0x4b0<br /> __x64_sys_pread64+0x96/0xc0<br /> x64_sys_call+0x1c3d/0x20d0<br /> do_syscall_64+0x4d/0x120<br /> entry_SYSCALL_64_after_hwframe+0x76/0x7e