CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
15.5%
In the Linux kernel, the following vulnerability has been resolved:
swiotlb: Fix double-allocation of slots due to broken alignment handling
Commit bbb73a103fbb (“swiotlb: fix a braino in the alignment check fix”),
which was a fix for commit 0eee5ae10256 (“swiotlb: fix slot alignment
checks”), causes a functional regression with vsock in a virtual machine
using bouncing via a restricted DMA SWIOTLB pool. When virtio allocates the
virtqueues for the vsock device using dma_alloc_coherent(), the SWIOTLB
search can return page-unaligned allocations if ‘area->index’ was left
unaligned by a previous allocation from the buffer: # Final address in
brackets is the SWIOTLB address returned to the caller | virtio-pci
0000:00:07.0: orig_addr 0x0 alloc_size 0x2000, iotlb_align_mask 0x800
stride 0x2: got slot 1645-1649/7168 (0x98326800) | virtio-pci 0000:00:07.0:
orig_addr 0x0 alloc_size 0x2000, iotlb_align_mask 0x800 stride 0x2: got
slot 1649-1653/7168 (0x98328800) | virtio-pci 0000:00:07.0: orig_addr 0x0
alloc_size 0x2000, iotlb_align_mask 0x800 stride 0x2: got slot
1653-1657/7168 (0x9832a800) This ends badly (typically buffer corruption
and/or a hang) because swiotlb_alloc() is expecting a page-aligned
allocation and so blindly returns a pointer to the ‘struct page’
corresponding to the allocation, therefore double-allocating the first half
(2KiB slot) of the 4KiB page. Fix the problem by treating the allocation
alignment separately to any additional alignment requirements from the
device, using the maximum of the two as the stride to search the buffer
slots and taking care to ensure a minimum of page-alignment for buffers
larger than a page. This also resolves swiotlb allocation failures occuring
due to the inclusion of ~PAGE_MASK in ‘iotlb_align_mask’ for large
allocations and resulting in alignment requirements exceeding
swiotlb_max_mapping_size().
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 24.04 | noarch | linux | < 6.8.0-35.35 | UNKNOWN |
ubuntu | 24.04 | noarch | linux-aws | < 6.8.0-1009.9 | UNKNOWN |
ubuntu | 22.04 | noarch | linux-aws-6.5 | < any | UNKNOWN |
ubuntu | 24.04 | noarch | linux-azure | < 6.8.0-1008.8 | UNKNOWN |
ubuntu | 22.04 | noarch | linux-azure-6.5 | < any | UNKNOWN |
ubuntu | 24.04 | noarch | linux-gcp | < 6.8.0-1008.9 | UNKNOWN |
ubuntu | 22.04 | noarch | linux-gcp-6.5 | < any | UNKNOWN |
ubuntu | 24.04 | noarch | linux-gke | < 6.8.0-1004.7 | UNKNOWN |
ubuntu | 24.04 | noarch | linux-ibm | < 6.8.0-1006.6 | UNKNOWN |
ubuntu | 24.04 | noarch | linux-lowlatency | < 6.8.0-35.35.1 | UNKNOWN |
git.kernel.org/linus/04867a7a33324c9c562ee7949dbcaab7aaad1fb4 (6.9-rc1)
git.kernel.org/stable/c/04867a7a33324c9c562ee7949dbcaab7aaad1fb4
git.kernel.org/stable/c/3e7acd6e25ba77dde48c3b721c54c89cd6a10534
git.kernel.org/stable/c/777391743771040e12cc40d3d0d178f70c616491
git.kernel.org/stable/c/c88668aa6c1da240ea3eb4d128b7906e740d3cb8
launchpad.net/bugs/cve/CVE-2024-35814
nvd.nist.gov/vuln/detail/CVE-2024-35814
security-tracker.debian.org/tracker/CVE-2024-35814
ubuntu.com/security/notices/USN-6816-1
ubuntu.com/security/notices/USN-6817-1
ubuntu.com/security/notices/USN-6817-2
ubuntu.com/security/notices/USN-6817-3
ubuntu.com/security/notices/USN-6878-1
www.cve.org/CVERecord?id=CVE-2024-35814