{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2024-26785","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-02-19T14:20:24.178Z","datePublished":"2024-04-04T08:20:18.467Z","dateUpdated":"2025-05-04T08:56:27.932Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-04T08:56:27.932Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\niommufd: Fix protection fault in iommufd_test_syz_conv_iova\n\nSyzkaller reported the following bug:\n\n  general protection fault, probably for non-canonical address 0xdffffc0000000038: 0000 [#1] SMP KASAN\n  KASAN: null-ptr-deref in range [0x00000000000001c0-0x00000000000001c7]\n  Call Trace:\n   lock_acquire\n   lock_acquire+0x1ce/0x4f0\n   down_read+0x93/0x4a0\n   iommufd_test_syz_conv_iova+0x56/0x1f0\n   iommufd_test_access_rw.isra.0+0x2ec/0x390\n   iommufd_test+0x1058/0x1e30\n   iommufd_fops_ioctl+0x381/0x510\n   vfs_ioctl\n   __do_sys_ioctl\n   __se_sys_ioctl\n   __x64_sys_ioctl+0x170/0x1e0\n   do_syscall_x64\n   do_syscall_64+0x71/0x140\n\nThis is because the new iommufd_access_change_ioas() sets access->ioas to\nNULL during its process, so the lock might be gone in a concurrent racing\ncontext.\n\nFix this by doing the same access->ioas sanity as iommufd_access_rw() and\niommufd_access_pin_pages() functions do."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/iommu/iommufd/selftest.c"],"versions":[{"version":"9227da7816dd1a42e20d41e2244cb63c205477ca","lessThan":"fd4d5cd7a2e8f08357c9bfc0905957cffe8ce568","status":"affected","versionType":"git"},{"version":"9227da7816dd1a42e20d41e2244cb63c205477ca","lessThan":"fc719ecbca45c9c046640d72baddba3d83e0bc0b","status":"affected","versionType":"git"},{"version":"9227da7816dd1a42e20d41e2244cb63c205477ca","lessThan":"cf7c2789822db8b5efa34f5ebcf1621bc0008d48","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["drivers/iommu/iommufd/selftest.c"],"versions":[{"version":"6.6","status":"affected"},{"version":"0","lessThan":"6.6","status":"unaffected","versionType":"semver"},{"version":"6.6.55","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.7.9","lessThanOrEqual":"6.7.*","status":"unaffected","versionType":"semver"},{"version":"6.8","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6","versionEndExcluding":"6.6.55"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6","versionEndExcluding":"6.7.9"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.6","versionEndExcluding":"6.8"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/fd4d5cd7a2e8f08357c9bfc0905957cffe8ce568"},{"url":"https://git.kernel.org/stable/c/fc719ecbca45c9c046640d72baddba3d83e0bc0b"},{"url":"https://git.kernel.org/stable/c/cf7c2789822db8b5efa34f5ebcf1621bc0008d48"}],"title":"iommufd: Fix protection fault in iommufd_test_syz_conv_iova","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"problemTypes":[{"descriptions":[{"type":"CWE","cweId":"CWE-120","lang":"en","description":"CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')"}]}],"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":5.5,"attackVector":"LOCAL","baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","integrityImpact":"NONE","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"HIGH","privilegesRequired":"LOW","confidentialityImpact":"NONE"}},{"other":{"type":"ssvc","content":{"timestamp":"2024-04-04T15:19:21.902975Z","id":"CVE-2024-26785","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-11-07T18:54:48.729Z"}},{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-02T00:14:13.352Z"},"title":"CVE Program Container","references":[{"url":"https://git.kernel.org/stable/c/fc719ecbca45c9c046640d72baddba3d83e0bc0b","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/cf7c2789822db8b5efa34f5ebcf1621bc0008d48","tags":["x_transferred"]}]}]}}