CVE-2024-26786

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-26786
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-26786.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-26786
Downstream
Related
Published
2024-04-04T09:15:08Z
Modified
2025-04-04T14:29:50Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

iommufd: Fix ioptaccesslist_id overwrite bug

Syzkaller reported the following WARNON: WARNING: CPU: 1 PID: 4738 at drivers/iommu/iommufd/iopagetable.c:1360

Call Trace: iommufdaccesschangeioas+0x2fe/0x4e0 iommufdaccessdestroyobject+0x50/0xb0 iommufdobjectremove+0x2a3/0x490 iommufdobjectdestroyuser iommufdaccessdestroy+0x71/0xb0 iommufdteststaccessrelease+0x89/0xd0 _fput+0x272/0xb50 _fputsync+0x4b/0x60 _dosysclose _sesysclose _x64sysclose+0x8b/0x110 dosyscallx64

The mismatch between the access pointer in the list and the passed-in pointer is resulting from an overwrite of access->ioptaccesslistid, in ioptaddaccess(). Called from iommufdaccesschangeioas() when xaalloc() succeeds but ioptcalculateiovaalignment() fails.

Add a newid in ioptaddaccess() and only update ioptaccesslistid when returning successfully.

References

Affected packages

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.7.9-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}