{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2024-41070","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-07-12T12:17:45.630Z","datePublished":"2024-07-29T14:57:30.952Z","dateUpdated":"2025-11-03T22:00:20.787Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-21T09:12:52.680Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: PPC: Book3S HV: Prevent UAF in kvm_spapr_tce_attach_iommu_group()\n\nAl reported a possible use-after-free (UAF) in kvm_spapr_tce_attach_iommu_group().\n\nIt looks up `stt` from tablefd, but then continues to use it after doing\nfdput() on the returned fd. After the fdput() the tablefd is free to be\nclosed by another thread. The close calls kvm_spapr_tce_release() and\nthen release_spapr_tce_table() (via call_rcu()) which frees `stt`.\n\nAlthough there are calls to rcu_read_lock() in\nkvm_spapr_tce_attach_iommu_group() they are not sufficient to prevent\nthe UAF, because `stt` is used outside the locked regions.\n\nWith an artifcial delay after the fdput() and a userspace program which\ntriggers the race, KASAN detects the UAF:\n\n  BUG: KASAN: slab-use-after-free in kvm_spapr_tce_attach_iommu_group+0x298/0x720 [kvm]\n  Read of size 4 at addr c000200027552c30 by task kvm-vfio/2505\n  CPU: 54 PID: 2505 Comm: kvm-vfio Not tainted 6.10.0-rc3-next-20240612-dirty #1\n  Hardware name: 8335-GTH POWER9 0x4e1202 opal:skiboot-v6.5.3-35-g1851b2a06 PowerNV\n  Call Trace:\n    dump_stack_lvl+0xb4/0x108 (unreliable)\n    print_report+0x2b4/0x6ec\n    kasan_report+0x118/0x2b0\n    __asan_load4+0xb8/0xd0\n    kvm_spapr_tce_attach_iommu_group+0x298/0x720 [kvm]\n    kvm_vfio_set_attr+0x524/0xac0 [kvm]\n    kvm_device_ioctl+0x144/0x240 [kvm]\n    sys_ioctl+0x62c/0x1810\n    system_call_exception+0x190/0x440\n    system_call_vectored_common+0x15c/0x2ec\n  ...\n  Freed by task 0:\n   ...\n   kfree+0xec/0x3e0\n   release_spapr_tce_table+0xd4/0x11c [kvm]\n   rcu_core+0x568/0x16a0\n   handle_softirqs+0x23c/0x920\n   do_softirq_own_stack+0x6c/0x90\n   do_softirq_own_stack+0x58/0x90\n   __irq_exit_rcu+0x218/0x2d0\n   irq_exit+0x30/0x80\n   arch_local_irq_restore+0x128/0x230\n   arch_local_irq_enable+0x1c/0x30\n   cpuidle_enter_state+0x134/0x5cc\n   cpuidle_enter+0x6c/0xb0\n   call_cpuidle+0x7c/0x100\n   do_idle+0x394/0x410\n   cpu_startup_entry+0x60/0x70\n   start_secondary+0x3fc/0x410\n   start_secondary_prolog+0x10/0x14\n\nFix it by delaying the fdput() until `stt` is no longer in use, which\nis effectively the entire function. To keep the patch minimal add a call\nto fdput() at each of the existing return paths. Future work can convert\nthe function to goto or __cleanup style cleanup.\n\nWith the fix in place the test case no longer triggers the UAF."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["arch/powerpc/kvm/book3s_64_vio.c"],"versions":[{"version":"121f80ba68f1a5779a36d7b3247206e60e0a7418","lessThan":"be847bb20c809de8ac124431b556f244400b0491","status":"affected","versionType":"git"},{"version":"121f80ba68f1a5779a36d7b3247206e60e0a7418","lessThan":"4cdf6926f443c84f680213c7aafbe6f91a5fcbc0","status":"affected","versionType":"git"},{"version":"121f80ba68f1a5779a36d7b3247206e60e0a7418","lessThan":"b26c8c85463ef27a522d24fcd05651f0bb039e47","status":"affected","versionType":"git"},{"version":"121f80ba68f1a5779a36d7b3247206e60e0a7418","lessThan":"5f856023971f97fff74cfaf21b48ec320147b50a","status":"affected","versionType":"git"},{"version":"121f80ba68f1a5779a36d7b3247206e60e0a7418","lessThan":"82c7a4cf14aa866f8f7f09e662b02eddc49ee0bf","status":"affected","versionType":"git"},{"version":"121f80ba68f1a5779a36d7b3247206e60e0a7418","lessThan":"9975f93c760a32453d7639cf6fcf3f73b4e71ffe","status":"affected","versionType":"git"},{"version":"121f80ba68f1a5779a36d7b3247206e60e0a7418","lessThan":"a986fa57fd81a1430e00b3c6cf8a325d6f894a63","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["arch/powerpc/kvm/book3s_64_vio.c"],"versions":[{"version":"4.12","status":"affected"},{"version":"0","lessThan":"4.12","status":"unaffected","versionType":"semver"},{"version":"5.4.281","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.223","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.164","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.101","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.42","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.9.11","lessThanOrEqual":"6.9.*","status":"unaffected","versionType":"semver"},{"version":"6.10","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.12","versionEndExcluding":"5.4.281"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.12","versionEndExcluding":"5.10.223"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.12","versionEndExcluding":"5.15.164"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.12","versionEndExcluding":"6.1.101"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.12","versionEndExcluding":"6.6.42"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.12","versionEndExcluding":"6.9.11"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.12","versionEndExcluding":"6.10"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/be847bb20c809de8ac124431b556f244400b0491"},{"url":"https://git.kernel.org/stable/c/4cdf6926f443c84f680213c7aafbe6f91a5fcbc0"},{"url":"https://git.kernel.org/stable/c/b26c8c85463ef27a522d24fcd05651f0bb039e47"},{"url":"https://git.kernel.org/stable/c/5f856023971f97fff74cfaf21b48ec320147b50a"},{"url":"https://git.kernel.org/stable/c/82c7a4cf14aa866f8f7f09e662b02eddc49ee0bf"},{"url":"https://git.kernel.org/stable/c/9975f93c760a32453d7639cf6fcf3f73b4e71ffe"},{"url":"https://git.kernel.org/stable/c/a986fa57fd81a1430e00b3c6cf8a325d6f894a63"}],"title":"KVM: PPC: Book3S HV: Prevent UAF in kvm_spapr_tce_attach_iommu_group()","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"title":"CVE Program Container","references":[{"url":"https://git.kernel.org/stable/c/be847bb20c809de8ac124431b556f244400b0491","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/4cdf6926f443c84f680213c7aafbe6f91a5fcbc0","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/b26c8c85463ef27a522d24fcd05651f0bb039e47","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/5f856023971f97fff74cfaf21b48ec320147b50a","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/82c7a4cf14aa866f8f7f09e662b02eddc49ee0bf","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/9975f93c760a32453d7639cf6fcf3f73b4e71ffe","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/a986fa57fd81a1430e00b3c6cf8a325d6f894a63","tags":["x_transferred"]},{"url":"https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2025-11-03T22:00:20.787Z"}},{"metrics":[{"other":{"type":"ssvc","content":{"id":"CVE-2024-41070","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"version":"2.0.3","timestamp":"2024-09-10T16:21:40.187466Z"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-09-11T17:34:00.946Z"}}]}}