In the Linux kernel, the following vulnerability has been resolved:
virtio: packed: fix unmap leak for indirect desc table
When usedmaapi and premapped are true, then the do_unmap is false.
Because the dounmap is false, vringunmapextrapacked is not called by detachbufpacked.
if (unlikely(vq->dounmap)) { curr = id; for (i = 0; i < state->num; i++) { vringunmapextrapacked(vq, &vq->packed.descextra[curr]); curr = vq->packed.descextra[curr].next; } }
So the indirect desc table is not unmapped. This causes the unmap leak.
So here, we check vq->usedmaapi instead. Synchronously, dma info is updated based on usedmaapi judgment
This bug does not occur, because no driver use the premapped with indirect.
{ "vanir_signatures": [ { "signature_version": "v1", "signature_type": "Function", "target": { "file": "drivers/virtio/virtio_ring.c", "function": "virtqueue_add_indirect_packed" }, "id": "CVE-2024-27066-01488c7d", "digest": { "length": 2684.0, "function_hash": "71829946791448367090746279378187527795" }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@51bacd9d29bf98c3ebc65e4a0477bb86306b4140" }, { "signature_version": "v1", "signature_type": "Function", "target": { "file": "drivers/virtio/virtio_ring.c", "function": "virtqueue_add_indirect_packed" }, "id": "CVE-2024-27066-0b945a98", "digest": { "length": 2684.0, "function_hash": "71829946791448367090746279378187527795" }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d5c0ed17fea60cca9bc3bf1278b49ba79242bbcd" }, { "signature_version": "v1", "signature_type": "Line", "target": { "file": "drivers/virtio/virtio_ring.c" }, "id": "CVE-2024-27066-1844d98a", "digest": { "line_hashes": [ "339596633029749655932058025881675999130", "17203958994190351722313077617563855415", "285583612751536254068160691787444730861", "334745877579348348367438895779716618478", "268378609346611359885301091376258517436", "277441548818140065125347502481147972544", "223944282765193062518697613519352444945", "150474774105695447911702629202024039428", "329688931314770791425706417645133332093", "329785554173428548153484240107863021655", "263788721602803074223913631750859477605", "52045156199426326465155419819530653745" ], "threshold": 0.9 }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d5c0ed17fea60cca9bc3bf1278b49ba79242bbcd" }, { "signature_version": "v1", "signature_type": "Function", "target": { "file": "drivers/virtio/virtio_ring.c", "function": "detach_buf_packed" }, "id": "CVE-2024-27066-22bb012d", "digest": { "length": 942.0, "function_hash": "261567477688692479740052905378930828421" }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e142169aca5546ae6619c39a575cda8105362100" }, { "signature_version": "v1", "signature_type": "Function", "target": { "file": "drivers/virtio/virtio_ring.c", "function": "virtqueue_add_packed" }, "id": "CVE-2024-27066-282e766c", "digest": { "length": 3119.0, "function_hash": "88847965938049743274555965940710532401" }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e142169aca5546ae6619c39a575cda8105362100" }, { "signature_version": "v1", "signature_type": "Line", "target": { "file": "drivers/virtio/virtio_ring.c" }, "id": "CVE-2024-27066-6ae82468", "digest": { "line_hashes": [ "339596633029749655932058025881675999130", "17203958994190351722313077617563855415", "285583612751536254068160691787444730861", "334745877579348348367438895779716618478", "268378609346611359885301091376258517436", "277441548818140065125347502481147972544", "223944282765193062518697613519352444945", "150474774105695447911702629202024039428", "329688931314770791425706417645133332093", "329785554173428548153484240107863021655", "263788721602803074223913631750859477605", "52045156199426326465155419819530653745" ], "threshold": 0.9 }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@51bacd9d29bf98c3ebc65e4a0477bb86306b4140" }, { "signature_version": "v1", "signature_type": "Function", "target": { "file": "drivers/virtio/virtio_ring.c", "function": "virtqueue_add_packed" }, "id": "CVE-2024-27066-6b87066e", "digest": { "length": 3119.0, "function_hash": "88847965938049743274555965940710532401" }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d5c0ed17fea60cca9bc3bf1278b49ba79242bbcd" }, { "signature_version": "v1", "signature_type": "Function", "target": { "file": "drivers/virtio/virtio_ring.c", "function": "virtqueue_add_packed" }, "id": "CVE-2024-27066-8cd0f11b", "digest": { "length": 3119.0, "function_hash": "88847965938049743274555965940710532401" }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@51bacd9d29bf98c3ebc65e4a0477bb86306b4140" }, { "signature_version": "v1", "signature_type": "Function", "target": { "file": "drivers/virtio/virtio_ring.c", "function": "detach_buf_packed" }, "id": "CVE-2024-27066-92284701", "digest": { "length": 942.0, "function_hash": "261567477688692479740052905378930828421" }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@51bacd9d29bf98c3ebc65e4a0477bb86306b4140" }, { "signature_version": "v1", "signature_type": "Function", "target": { "file": "drivers/virtio/virtio_ring.c", "function": "detach_buf_packed" }, "id": "CVE-2024-27066-9b149c63", "digest": { "length": 942.0, "function_hash": "261567477688692479740052905378930828421" }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d5c0ed17fea60cca9bc3bf1278b49ba79242bbcd" }, { "signature_version": "v1", "signature_type": "Line", "target": { "file": "drivers/virtio/virtio_ring.c" }, "id": "CVE-2024-27066-bd13a0df", "digest": { "line_hashes": [ "339596633029749655932058025881675999130", "17203958994190351722313077617563855415", "285583612751536254068160691787444730861", "334745877579348348367438895779716618478", "268378609346611359885301091376258517436", "277441548818140065125347502481147972544", "223944282765193062518697613519352444945", "150474774105695447911702629202024039428", "329688931314770791425706417645133332093", "329785554173428548153484240107863021655", "263788721602803074223913631750859477605", "52045156199426326465155419819530653745" ], "threshold": 0.9 }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e142169aca5546ae6619c39a575cda8105362100" }, { "signature_version": "v1", "signature_type": "Function", "target": { "file": "drivers/virtio/virtio_ring.c", "function": "virtqueue_add_indirect_packed" }, "id": "CVE-2024-27066-d4bbafd7", "digest": { "length": 2684.0, "function_hash": "71829946791448367090746279378187527795" }, "deprecated": false, "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@e142169aca5546ae6619c39a575cda8105362100" } ] }