CVE-2025-38062

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> genirq/msi: Store the IOMMU IOVA directly in msi_desc instead of iommu_cookie<br /> <br /> The IOMMU translation for MSI message addresses has been a 2-step process,<br /> separated in time:<br /> <br /> 1) iommu_dma_prepare_msi(): A cookie pointer containing the IOVA address<br /> is stored in the MSI descriptor when an MSI interrupt is allocated.<br /> <br /> 2) iommu_dma_compose_msi_msg(): this cookie pointer is used to compute a<br /> translated message address.<br /> <br /> This has an inherent lifetime problem for the pointer stored in the cookie<br /> that must remain valid between the two steps. However, there is no locking<br /> at the irq layer that helps protect the lifetime. Today, this works under<br /> the assumption that the iommu domain is not changed while MSI interrupts<br /> being programmed. This is true for normal DMA API users within the kernel,<br /> as the iommu domain is attached before the driver is probed and cannot be<br /> changed while a driver is attached.<br /> <br /> Classic VFIO type1 also prevented changing the iommu domain while VFIO was<br /> running as it does not support changing the "container" after starting up.<br /> <br /> However, iommufd has improved this so that the iommu domain can be changed<br /> during VFIO operation. This potentially allows userspace to directly race<br /> VFIO_DEVICE_ATTACH_IOMMUFD_PT (which calls iommu_attach_group()) and<br /> VFIO_DEVICE_SET_IRQS (which calls into iommu_dma_compose_msi_msg()).<br /> <br /> This potentially causes both the cookie pointer and the unlocked call to<br /> iommu_get_domain_for_dev() on the MSI translation path to become UAFs.<br /> <br /> Fix the MSI cookie UAF by removing the cookie pointer. The translated IOVA<br /> address is already known during iommu_dma_prepare_msi() and cannot change.<br /> Thus, it can simply be stored as an integer in the MSI descriptor.<br /> <br /> The other UAF related to iommu_get_domain_for_dev() will be addressed in<br /> patch "iommu: Make iommu_dma_prepare_msi() into a generic operation" by<br /> using the IOMMU group mutex.