Wind River Support Network

HomeDefectsLIN1024-9974
Acknowledged

LIN1024-9974 : Security Advisory - linux - CVE-2025-38062

Created: Jun 19, 2025    Updated: Jun 20, 2025
Found In Version: 10.24.33.1
Severity: Standard
Applicable for: Wind River Linux LTS 24
Component/s: Kernel

Description

In the Linux kernel, the following vulnerability has been resolved:EOL][EOL]genirq/msi: Store the IOMMU IOVA directly in msi_desc instead of iommu_cookie[EOL][EOL]The IOMMU translation for MSI message addresses has been a 2-step process,[EOL]separated in time:[EOL][EOL] 1) iommu_dma_prepare_msi(): A cookie pointer containing the IOVA address[EOL]    is stored in the MSI descriptor when an MSI interrupt is allocated.[EOL][EOL] 2) iommu_dma_compose_msi_msg(): this cookie pointer is used to compute a[EOL]    translated message address.[EOL][EOL]This has an inherent lifetime problem for the pointer stored in the cookie[EOL]that must remain valid between the two steps. However, there is no locking[EOL]at the irq layer that helps protect the lifetime. Today, this works under[EOL]the assumption that the iommu domain is not changed while MSI interrupts[EOL]being programmed. This is true for normal DMA API users within the kernel,[EOL]as the iommu domain is attached before the driver is probed and cannot be[EOL]changed while a driver is attached.[EOL][EOL]Classic VFIO type1 also prevented changing the iommu domain while VFIO was[EOL]running as it does not support changing the "container" after starting up.[EOL][EOL]However, iommufd has improved this so that the iommu domain can be changed[EOL]during VFIO operation. This potentially allows userspace to directly race[EOL]VFIO_DEVICE_ATTACH_IOMMUFD_PT (which calls iommu_attach_group()) and[EOL]VFIO_DEVICE_SET_IRQS (which calls into iommu_dma_compose_msi_msg()).[EOL][EOL]This potentially causes both the cookie pointer and the unlocked call to[EOL]iommu_get_domain_for_dev() on the MSI translation path to become UAFs.[EOL][EOL]Fix the MSI cookie UAF by removing the cookie pointer. The translated IOVA[EOL]address is already known during iommu_dma_prepare_msi() and cannot change.[EOL]Thus, it can simply be stored as an integer in the MSI descriptor.[EOL][EOL]The other UAF related to iommu_get_domain_for_dev() will be addressed in[EOL]patch "iommu: Make iommu_dma_prepare_msi() into a generic operation" by[EOL]using the IOMMU group mutex.

CREATE(Triage):(User=lchen-cn) [CVE-2025-38062 (https://nvd.nist.gov/vuln/detail/CVE-2025-38062)
Live chat
Online
  • Linkedin
  • Facebook
  • Twitter
  • Youtube