CVE-2024-35843

{"id": "CVE-2024-35843", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 4.2, "exploitabilityScore": 2.5}]}, "published": "2024-05-17T15:15:21.313", "references": [{"url": "https://git.kernel.org/stable/c/3d39238991e745c5df85785604f037f35d9d1b15", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/def054b01a867822254e1dda13d587f5c7a99e2a", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/3d39238991e745c5df85785604f037f35d9d1b15", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/def054b01a867822254e1dda13d587f5c7a99e2a", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-416"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/vt-d: Use device rbtree in iopf reporting path\n\nThe existing I/O page fault handler currently locates the PCI device by\ncalling pci_get_domain_bus_and_slot(). This function searches the list\nof all PCI devices until the desired device is found. To improve lookup\nefficiency, replace it with device_rbtree_find() to search the device\nwithin the probed device rbtree.\n\nThe I/O page fault is initiated by the device, which does not have any\nsynchronization mechanism with the software to ensure that the device\nstays in the probed device tree. Theoretically, a device could be released\nby the IOMMU subsystem after device_rbtree_find() and before\niopf_get_dev_fault_param(), which would cause a use-after-free problem.\n\nAdd a mutex to synchronize the I/O page fault reporting path and the IOMMU\nrelease device path. This lock doesn't introduce any performance overhead,\nas the conflict between I/O page fault reporting and device releasing is\nvery rare."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: iommu/vt-d: use el rbtree del dispositivo en la ruta de informes iopf. El controlador de fallos de la p\u00e1gina de E/S existente actualmente ubica el dispositivo PCI llamando a pci_get_domain_bus_and_slot(). Esta funci\u00f3n busca en la lista de todos los dispositivos PCI hasta encontrar el dispositivo deseado. Para mejorar la eficiencia de la b\u00fasqueda, reempl\u00e1celo con device_rbtree_find() para buscar el dispositivo dentro del rbtree del dispositivo probado. El fallo de la p\u00e1gina de E/S la inicia el dispositivo, que no tiene ning\u00fan mecanismo de sincronizaci\u00f3n con el software para garantizar que el dispositivo permanezca en el \u00e1rbol de dispositivos analizados. En teor\u00eda, el subsistema IOMMU podr\u00eda liberar un dispositivo despu\u00e9s de device_rbtree_find() y antes de iopf_get_dev_fault_param(), lo que causar\u00eda un problema de uso despu\u00e9s de la liberaci\u00f3n. Agregue un mutex para sincronizar la ruta de informe de fallos de la p\u00e1gina de E/S y la ruta del dispositivo de liberaci\u00f3n IOMMU. Este bloqueo no introduce ninguna sobrecarga de rendimiento, ya que el conflicto entre el informe de fallos de la p\u00e1gina de E/S y la liberaci\u00f3n del dispositivo es muy raro."}], "lastModified": "2025-04-07T19:05:09.400", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6402FBC3-9412-48E2-992D-DA529B4CF698", "versionEndExcluding": "6.8.2"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}