CVE-2024-26785

general protection fault, probably for non-canonical address 0xdffffc0000000038: 0000 [#1] SMP KASAN KASAN: null-ptr-deref in range [0x00000000000001c0-0x00000000000001c7] Call Trace: lockacquire lockacquire+0x1ce/0x4f0 downread+0x93/0x4a0 iommufdtestsyzconviova+0x56/0x1f0 iommufdtestaccessrw.isra.0+0x2ec/0x390 iommufdtest+0x1058/0x1e30 iommufdfopsioctl+0x381/0x510 vfsioctl _dosysioctl _sesysioctl _x64sysioctl+0x170/0x1e0 dosyscallx64 dosyscall_64+0x71/0x140

This is because the new iommufdaccesschange_ioas() sets access->ioas to NULL during its process, so the lock might be gone in a concurrent racing context.

Fix this by doing the same access->ioas sanity as iommufdaccessrw() and iommufdaccesspin_pages() functions do.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

9227da7816dd1a42e20d41e2244cb63c205477ca

Fixed

fd4d5cd7a2e8f08357c9bfc0905957cffe8ce568

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

9227da7816dd1a42e20d41e2244cb63c205477ca

Fixed

fc719ecbca45c9c046640d72baddba3d83e0bc0b

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

9227da7816dd1a42e20d41e2244cb63c205477ca

Fixed

cf7c2789822db8b5efa34f5ebcf1621bc0008d48

Affected versions

v6.*

v6.5

v6.5-rc4

v6.5-rc5

v6.5-rc6

v6.5-rc7

v6.6

v6.6-rc1

v6.6-rc2

v6.6-rc3

v6.6-rc4

v6.6-rc5

v6.6-rc6

v6.6-rc7

v6.6.1

v6.6.10

v6.6.11

v6.6.12

v6.6.13

v6.6.14

v6.6.15

v6.6.16

v6.6.17

v6.6.18

v6.6.19

v6.6.2

v6.6.20

v6.6.21

v6.6.22

v6.6.23

v6.6.24

v6.6.25

v6.6.26

v6.6.27

v6.6.28

v6.6.29

v6.6.3

v6.6.30

v6.6.31

v6.6.32

v6.6.33

v6.6.34

v6.6.35

v6.6.36

v6.6.37

v6.6.38

v6.6.39

v6.6.4

v6.6.40

v6.6.41

v6.6.42

v6.6.43

v6.6.44

v6.6.45

v6.6.46

v6.6.47

v6.6.48

v6.6.49

v6.6.5

v6.6.50

v6.6.51

v6.6.52

v6.6.53

v6.6.54

v6.6.6

v6.6.7

v6.6.8

v6.6.9

v6.7

v6.7-rc1

v6.7-rc2

v6.7-rc3

v6.7-rc4

v6.7-rc5

v6.7-rc6

v6.7-rc7

v6.7-rc8

v6.7.1

v6.7.2

v6.7.3

v6.7.4

v6.7.5

v6.7.6

v6.7.7

v6.7.8

v6.8-rc1

v6.8-rc2

v6.8-rc3

v6.8-rc4

v6.8-rc5

v6.8-rc6

Database specific

vanir_signatures

[
    {
        "id": "CVE-2024-26785-19adca1d",
        "target": {
            "file": "drivers/iommu/iommufd/selftest.c",
            "function": "iommufd_test_access_rw"
        },
        "digest": {
            "length": 1083.0,
            "function_hash": "248854644103100090693516714513536577103"
        },
        "deprecated": false,
        "signature_type": "Function",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@fc719ecbca45c9c046640d72baddba3d83e0bc0b",
        "signature_version": "v1"
    },
    {
        "id": "CVE-2024-26785-6359b458",
        "target": {
            "file": "drivers/iommu/iommufd/selftest.c",
            "function": "iommufd_test_access_pages"
        },
        "digest": {
            "length": 1794.0,
            "function_hash": "126873958058199626155082142599009442715"
        },
        "deprecated": false,
        "signature_type": "Function",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@cf7c2789822db8b5efa34f5ebcf1621bc0008d48",
        "signature_version": "v1"
    },
    {
        "id": "CVE-2024-26785-9c178952",
        "target": {
            "file": "drivers/iommu/iommufd/selftest.c",
            "function": "iommufd_test_access_rw"
        },
        "digest": {
            "length": 1083.0,
            "function_hash": "248854644103100090693516714513536577103"
        },
        "deprecated": false,
        "signature_type": "Function",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@cf7c2789822db8b5efa34f5ebcf1621bc0008d48",
        "signature_version": "v1"
    },
    {
        "id": "CVE-2024-26785-dc34bbf6",
        "target": {
            "file": "drivers/iommu/iommufd/selftest.c",
            "function": "iommufd_test_access_pages"
        },
        "digest": {
            "length": 1794.0,
            "function_hash": "126873958058199626155082142599009442715"
        },
        "deprecated": false,
        "signature_type": "Function",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@fc719ecbca45c9c046640d72baddba3d83e0bc0b",
        "signature_version": "v1"
    },
    {
        "id": "CVE-2024-26785-e0e1400e",
        "target": {
            "file": "drivers/iommu/iommufd/selftest.c"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "217894223453245544759735507713874591989",
                "191798386565841353515903703180200163753",
                "35281551687931064226362216513748017585",
                "292819067564478494808887867681717302554",
                "176704053273436052764576504083936532067",
                "155397216251588208193060338843964609698",
                "313415571512576482711564220041936210353",
                "215203581023419266107091083826769533074",
                "251205288549217504186441528637931596094",
                "304072395486281866954322381786526317850",
                "317200680528728597378459079534482556552",
                "330736731523893493013130435801216311154",
                "290509034002583076749754874444192053233",
                "51522439852416065220355967063869422166",
                "135079778916983389724061008369954905950",
                "287789835687853623979368679429222487037",
                "148048508668845948136130750451806922296",
                "329728131453576127751923359505190049201",
                "62238947410445072885894092637613990039",
                "174405657453722159692216417186015765990",
                "239515543257102670514444092557677216487"
            ]
        },
        "deprecated": false,
        "signature_type": "Line",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@fc719ecbca45c9c046640d72baddba3d83e0bc0b",
        "signature_version": "v1"
    },
    {
        "id": "CVE-2024-26785-e6c7d099",
        "target": {
            "file": "drivers/iommu/iommufd/selftest.c"
        },
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "222251624975466905707577170343441565220",
                "58396642170681062503897464319707667527",
                "35281551687931064226362216513748017585",
                "292819067564478494808887867681717302554",
                "176704053273436052764576504083936532067",
                "155397216251588208193060338843964609698",
                "313415571512576482711564220041936210353",
                "215203581023419266107091083826769533074",
                "251205288549217504186441528637931596094",
                "304072395486281866954322381786526317850",
                "317200680528728597378459079534482556552",
                "330736731523893493013130435801216311154",
                "290509034002583076749754874444192053233",
                "51522439852416065220355967063869422166",
                "135079778916983389724061008369954905950",
                "287789835687853623979368679429222487037",
                "148048508668845948136130750451806922296",
                "329728131453576127751923359505190049201",
                "62238947410445072885894092637613990039",
                "174405657453722159692216417186015765990",
                "239515543257102670514444092557677216487"
            ]
        },
        "deprecated": false,
        "signature_type": "Line",
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@cf7c2789822db8b5efa34f5ebcf1621bc0008d48",
        "signature_version": "v1"
    }
]

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.6.0

Fixed

6.6.55

Type: ECOSYSTEM
Events: Introduced

6.7.0

Fixed

6.7.9