Ubuntu: (CVE-2023-52910): linux vulnerability

Ubuntu: (CVE-2023-52910): linux vulnerability

Severity

5

CVSS

(AV:L/AC:L/Au:S/C:N/I:N/A:C)

Published

08/21/2024

Created

11/21/2024

Added

11/19/2024

Modified

02/11/2025

Description

In the Linux kernel, the following vulnerability has been resolved: iommu/iova: Fix alloc iova overflows issue In __alloc_and_insert_iova_range, there is an issue that retry_pfn overflows. The value of iovad->anchor.pfn_hi is ~0UL, then when iovad->cached_node is iovad->anchor, curr_iova->pfn_hi + 1 will overflow. As a result, if the retry logic is executed, low_pfn is updated to 0, and then new_pfn < low_pfn returns false to make the allocation successful. This issue occurs in the following two situations: 1. The first iova size exceeds the domain size. When initializing iova domain, iovad->cached_node is assigned as iovad->anchor. For example, the iova domain size is 10M, start_pfn is 0x1_F000_0000, and the iova size allocated for the first time is 11M. The following is the log information, new->pfn_lo is smaller than iovad->cached_node. Example log as follows: [223.798112][T1705487] sh: [name:iova&]__alloc_and_insert_iova_range start_pfn:0x1f0000,retry_pfn:0x0,size:0xb00,limit_pfn:0x1f0a00 [223.799590][T1705487] sh: [name:iova&]__alloc_and_insert_iova_range success start_pfn:0x1f0000,new->pfn_lo:0x1efe00,new->pfn_hi:0x1f08ff 2. The node with the largest iova->pfn_lo value in the iova domain is deleted, iovad->cached_node will be updated to iovad->anchor, and then the alloc iova size exceeds the maximum iova size that can be allocated in the domain. After judging that retry_pfn is less than limit_pfn, call retry_pfn+1 to fix the overflow issue.

Solution(s)

• ubuntu-upgrade-linux
• ubuntu-upgrade-linux-aws
• ubuntu-upgrade-linux-aws-5-15
• ubuntu-upgrade-linux-azure
• ubuntu-upgrade-linux-azure-5-15
• ubuntu-upgrade-linux-azure-fde
• ubuntu-upgrade-linux-azure-fde-5-15
• ubuntu-upgrade-linux-bluefield
• ubuntu-upgrade-linux-gcp
• ubuntu-upgrade-linux-gcp-5-15
• ubuntu-upgrade-linux-gke
• ubuntu-upgrade-linux-gkeop
• ubuntu-upgrade-linux-gkeop-5-15
• ubuntu-upgrade-linux-hwe-5-15
• ubuntu-upgrade-linux-ibm
• ubuntu-upgrade-linux-intel-iot-realtime
• ubuntu-upgrade-linux-intel-iotg
• ubuntu-upgrade-linux-intel-iotg-5-15
• ubuntu-upgrade-linux-kvm
• ubuntu-upgrade-linux-lowlatency
• ubuntu-upgrade-linux-lowlatency-hwe-5-15
• ubuntu-upgrade-linux-nvidia
• ubuntu-upgrade-linux-oracle
• ubuntu-upgrade-linux-oracle-5-15
• ubuntu-upgrade-linux-raspi
• ubuntu-upgrade-linux-realtime
• ubuntu-upgrade-linux-riscv-5-15

References

• https://attackerkb.com/topics/cve-2023-52910
• CVE - 2023-52910
• https://git.kernel.org/linus/dcdb3ba7e2a8caae7bfefd603bc22fd0ce9a389c
• https://git.kernel.org/stable/c/61cbf790e7329ed78877560be7136f0b911bba7f
• https://git.kernel.org/stable/c/c929a230c84441e400c32e7b7b4ab763711fb63e
• https://git.kernel.org/stable/c/dcdb3ba7e2a8caae7bfefd603bc22fd0ce9a389c
• https://www.cve.org/CVERecord?id=CVE-2023-52910