In the Linux kernel, the following vulnerability has been resolved:
iommu/vt-d: Fix NULL domain on device release
In the kdump kernel, the IOMMU operates in deferredattach mode. In this mode, info->domain may not yet be assigned by the time the releasedevice function is called. It leads to the following crash in the crash kernel:
BUG: kernel NULL pointer dereference, address: 000000000000003c
...
RIP: 0010:do_raw_spin_lock+0xa/0xa0
...
_raw_spin_lock_irqsave+0x1b/0x30
intel_iommu_release_device+0x96/0x170
iommu_deinit_device+0x39/0xf0
__iommu_group_remove_device+0xa0/0xd0
iommu_bus_notifier+0x55/0xb0
notifier_call_chain+0x5a/0xd0
blocking_notifier_call_chain+0x41/0x60
bus_notify+0x34/0x50
device_del+0x269/0x3d0
pci_remove_bus_device+0x77/0x100
p2sb_bar+0xae/0x1d0
...
i801_probe+0x423/0x740
Use the releasedomain mechanism to fix it. The scalable mode context entry which is not part of release domain should be cleared in releasedevice().
{ "vanir_signatures": [ { "digest": { "line_hashes": [ "109905745650503005011437352740630819585", "115378521003175910169804421869492732167" ], "threshold": 0.9 }, "target": { "file": "drivers/iommu/intel/pasid.h" }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@333fe86968482ca701c609af590003bcea450e8f", "deprecated": false, "signature_version": "v1", "id": "CVE-2024-27079-24ec5d5a" }, { "digest": { "length": 300.0, "function_hash": "168368724165870038591144822325250205861" }, "target": { "function": "intel_iommu_release_device", "file": "drivers/iommu/intel/iommu.c" }, "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@333fe86968482ca701c609af590003bcea450e8f", "deprecated": false, "signature_version": "v1", "id": "CVE-2024-27079-39a913d5" }, { "digest": { "line_hashes": [ "109905745650503005011437352740630819585", "115378521003175910169804421869492732167" ], "threshold": 0.9 }, "target": { "file": "drivers/iommu/intel/pasid.h" }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@81e921fd321614c2ad8ac333b041aae1da7a1c6d", "deprecated": false, "signature_version": "v1", "id": "CVE-2024-27079-3ef2664d" }, { "digest": { "length": 486.0, "function_hash": "166921351483125215780213110906486416744" }, "target": { "function": "dmar_remove_one_dev_info", "file": "drivers/iommu/intel/iommu.c" }, "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@333fe86968482ca701c609af590003bcea450e8f", "deprecated": false, "signature_version": "v1", "id": "CVE-2024-27079-40fc3039" }, { "digest": { "length": 486.0, "function_hash": "166921351483125215780213110906486416744" }, "target": { "function": "dmar_remove_one_dev_info", "file": "drivers/iommu/intel/iommu.c" }, "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@81e921fd321614c2ad8ac333b041aae1da7a1c6d", "deprecated": false, "signature_version": "v1", "id": "CVE-2024-27079-5d02f08c" }, { "digest": { "line_hashes": [ "258003924375447936104902840834628711056", "316019868164136737682661457215958951111", "31031858597502853687492394208285169936", "298397555902274242835422422658078069997", "303406196764576901343676045388230237769", "336777163534233046133118580042036375795", "175129542147005498756293707100267881806", "45777267234028833096718557887973884144", "278790272031912691774303260081257593512", "336292218607981001553830798500532047899", "57574207511183615643788157338063817125", "71011495246995741345937812684242360414", "240461547232713002542399857163917960169", "217328116450449464707848869900931572709", "79335723020912106534298262935109171908", "319027715667028307493889489403545088366", "191108563059758201249184246122026130954", "26534449862448171815858275604312696095", "208279165468958133672197427800438872646", "3773282542206790530965534116566049970", "215672110207196291016399026684744457337", "332147859228900999763240136520784672840", "188542213316043000222675281213146753450", "248450954230928106844887126282580856381", "240167386542172690884346425556421756348", "135241122126681326415348032184166138720", "334737824855577396771418341593200537156", "309251195208103262669346679484201882517", "96614214235897478928897235544925641882", "111727034308363532424601253076700907267" ], "threshold": 0.9 }, "target": { "file": "drivers/iommu/intel/iommu.c" }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@333fe86968482ca701c609af590003bcea450e8f", "deprecated": false, "signature_version": "v1", "id": "CVE-2024-27079-74a2aa3b" }, { "digest": { "line_hashes": [ "258003924375447936104902840834628711056", "316019868164136737682661457215958951111", "31031858597502853687492394208285169936", "298397555902274242835422422658078069997", "303406196764576901343676045388230237769", "336777163534233046133118580042036375795", "175129542147005498756293707100267881806", "45777267234028833096718557887973884144", "278790272031912691774303260081257593512", "336292218607981001553830798500532047899", "57574207511183615643788157338063817125", "71011495246995741345937812684242360414", "240461547232713002542399857163917960169", "217328116450449464707848869900931572709", "79335723020912106534298262935109171908", "319027715667028307493889489403545088366", "191108563059758201249184246122026130954", "26534449862448171815858275604312696095", "208279165468958133672197427800438872646", "3773282542206790530965534116566049970", "215672110207196291016399026684744457337", "332147859228900999763240136520784672840", "188542213316043000222675281213146753450", "248450954230928106844887126282580856381", "240167386542172690884346425556421756348", "135241122126681326415348032184166138720", "334737824855577396771418341593200537156", "309251195208103262669346679484201882517", "96614214235897478928897235544925641882", "111727034308363532424601253076700907267" ], "threshold": 0.9 }, "target": { "file": "drivers/iommu/intel/iommu.c" }, "signature_type": "Line", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@81e921fd321614c2ad8ac333b041aae1da7a1c6d", "deprecated": false, "signature_version": "v1", "id": "CVE-2024-27079-d97a075e" }, { "digest": { "length": 300.0, "function_hash": "168368724165870038591144822325250205861" }, "target": { "function": "intel_iommu_release_device", "file": "drivers/iommu/intel/iommu.c" }, "signature_type": "Function", "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@81e921fd321614c2ad8ac333b041aae1da7a1c6d", "deprecated": false, "signature_version": "v1", "id": "CVE-2024-27079-ed5b251e" } ] }