CVE-2023-52910

{"id": "CVE-2023-52910", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2024-08-21T07:15:06.910", "references": [{"url": "https://git.kernel.org/stable/c/61cbf790e7329ed78877560be7136f0b911bba7f", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/c929a230c84441e400c32e7b7b4ab763711fb63e", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/dcdb3ba7e2a8caae7bfefd603bc22fd0ce9a389c", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\niommu/iova: Fix alloc iova overflows issue\n\nIn __alloc_and_insert_iova_range, there is an issue that retry_pfn\noverflows. The value of iovad->anchor.pfn_hi is ~0UL, then when\niovad->cached_node is iovad->anchor, curr_iova->pfn_hi + 1 will\noverflow. As a result, if the retry logic is executed, low_pfn is\nupdated to 0, and then new_pfn < low_pfn returns false to make the\nallocation successful.\n\nThis issue occurs in the following two situations:\n1. The first iova size exceeds the domain size. When initializing\niova domain, iovad->cached_node is assigned as iovad->anchor. For\nexample, the iova domain size is 10M, start_pfn is 0x1_F000_0000,\nand the iova size allocated for the first time is 11M. The\nfollowing is the log information, new->pfn_lo is smaller than\niovad->cached_node.\n\nExample log as follows:\n[ 223.798112][T1705487] sh: [name:iova&]__alloc_and_insert_iova_range\nstart_pfn:0x1f0000,retry_pfn:0x0,size:0xb00,limit_pfn:0x1f0a00\n[ 223.799590][T1705487] sh: [name:iova&]__alloc_and_insert_iova_range\nsuccess start_pfn:0x1f0000,new->pfn_lo:0x1efe00,new->pfn_hi:0x1f08ff\n\n2. The node with the largest iova->pfn_lo value in the iova domain\nis deleted, iovad->cached_node will be updated to iovad->anchor,\nand then the alloc iova size exceeds the maximum iova size that can\nbe allocated in the domain.\n\nAfter judging that retry_pfn is less than limit_pfn, call retry_pfn+1\nto fix the overflow issue."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: iommu/iova: soluciona el problema de desbordamiento de alloc iova. En __alloc_and_insert_iova_range, hay un problema que retry_pfn se desborda. El valor de iovad-&gt;anchor.pfn_hi es ~0UL, luego, cuando iovad-&gt;cached_node es iovad-&gt;anchor, curr_iova-&gt;pfn_hi + 1 se desbordar\u00e1. Como resultado, si se ejecuta la l\u00f3gica de reintento, low_pfn se actualiza a 0 y luego new_pfn &lt; low_pfn devuelve falso para que la asignaci\u00f3n sea exitosa. Este problema ocurre en las dos situaciones siguientes: 1. El tama\u00f1o del primer iova excede el tama\u00f1o del dominio. Al inicializar el dominio iova, iovad-&gt;cached_node se asigna como iovad-&gt;anchor. Por ejemplo, el tama\u00f1o del dominio iova es 10 M, start_pfn es 0x1_F000_0000 y el tama\u00f1o de iova asignado por primera vez es 11 M. La siguiente es la informaci\u00f3n de registro, new-&gt;pfn_lo es m\u00e1s peque\u00f1o que iovad-&gt;cached_node. Registro de ejemplo como sigue: [ 223.798112][T1705487] sh: [name:iova&amp;]__alloc_and_insert_iova_range start_pfn:0x1f0000,retry_pfn:0x0,size:0xb00,limit_pfn:0x1f0a00 [ 223.799590][T1705487] [nombre:iova&amp;]__alloc_and_insert_iova_range \u00e9xito start_pfn :0x1f0000,new-&gt;pfn_lo:0x1efe00,new-&gt;pfn_hi:0x1f08ff 2. El nodo con el valor iova-&gt;pfn_lo m\u00e1s grande en el dominio iova se elimina, iovad-&gt;cached_node se actualizar\u00e1 a iovad-&gt;anchor y luego el tama\u00f1o de alloc iova excede el tama\u00f1o m\u00e1ximo de iova que se puede asignar en el dominio. Despu\u00e9s de juzgar que retry_pfn es menor que limit_pfn, llame a retry_pfn+1 para solucionar el problema de desbordamiento."}], "lastModified": "2024-09-12T14:47:08.540", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E706841F-E788-4316-9B05-DA8EB60CE6B3", "versionEndExcluding": "5.15.89", "versionStartIncluding": "5.11"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9275C81F-AE96-4CDB-AD20-7DBD36E5D909", "versionEndExcluding": "6.1.7", "versionStartIncluding": "5.16"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.2:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FF501633-2F44-4913-A8EE-B021929F49F6"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.2:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2BDA597B-CAC1-4DF0-86F0-42E142C654E9"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.2:rc3:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "725C78C9-12CE-406F-ABE8-0813A01D66E8"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}