CVE-2024-47748

Summary

In the Linux kernel, the following vulnerability has been resolved:

vhost_vdpa: assign irq bypass producer token correctly

We used to call irq_bypass_unregister_producer() in vhost_vdpa_setup_vq_irq() which is problematic as we don't know if the token pointer is still valid or not.

Actually, we use the eventfd_ctx as the token so the life cycle of the token should be bound to the VHOST_SET_VRING_CALL instead of vhost_vdpa_setup_vq_irq() which could be called by set_status().

Fixing this by setting up irq bypass producer's token when handling VHOST_SET_VRING_CALL and un-registering the producer before calling vhost_vring_ioctl() to prevent a possible use after free as eventfd could have been released in vhost_vring_ioctl(). And such registering and unregistering will only be done if DRIVER_OK is set.

Affected Software

VendorProductVersion RangeStatus
LinuxLinux2cf1ba9a4d15cb78b96ea97f727b93382c3f9a60 < 0c170b1e918b9afac25e2bbd01eaa2bfc0ece8c0affected
LinuxLinux2cf1ba9a4d15cb78b96ea97f727b93382c3f9a60 < 927a2580208e0f9b0b47b08f1c802b7233a7ba3caffected
LinuxLinux2cf1ba9a4d15cb78b96ea97f727b93382c3f9a60 < ec5f1b54ceb23475049ada6e7a43452cf4df88d1affected
LinuxLinux2cf1ba9a4d15cb78b96ea97f727b93382c3f9a60 < ca64edd7ae93402af2596a952e0d94d545e2b9c0affected
LinuxLinux2cf1ba9a4d15cb78b96ea97f727b93382c3f9a60 < fae9b1776f53aab93ab345bdbf653b991aed717daffected
LinuxLinux2cf1ba9a4d15cb78b96ea97f727b93382c3f9a60 < 7cf2fb51175cafe01df8c43fa15a06194a59c6e2affected
LinuxLinux2cf1ba9a4d15cb78b96ea97f727b93382c3f9a60 < 02e9e9366fefe461719da5d173385b6685f70319affected
LinuxLinux5.9affected
LinuxLinux0 < 5.9unaffected
LinuxLinux5.10.227 <= 5.10.*unaffected
LinuxLinux5.15.168 <= 5.15.*unaffected
LinuxLinux6.1.113 <= 6.1.*unaffected
LinuxLinux6.6.54 <= 6.6.*unaffected
LinuxLinux6.10.13 <= 6.10.*unaffected
LinuxLinux6.11.2 <= 6.11.*unaffected
LinuxLinux6.12 <= *unaffected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References