{
    "data_version": "4.0",
    "data_type": "CVE",
    "data_format": "MITRE",
    "CVE_data_meta": {
        "ID": "CVE-2024-41070",
        "ASSIGNER": "cve@kernel.org",
        "STATE": "PUBLIC"
    },
    "description": {
        "description_data": [
            {
                "lang": "eng",
                "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: PPC: Book3S HV: Prevent UAF in kvm_spapr_tce_attach_iommu_group()\n\nAl reported a possible use-after-free (UAF) in kvm_spapr_tce_attach_iommu_group().\n\nIt looks up `stt` from tablefd, but then continues to use it after doing\nfdput() on the returned fd. After the fdput() the tablefd is free to be\nclosed by another thread. The close calls kvm_spapr_tce_release() and\nthen release_spapr_tce_table() (via call_rcu()) which frees `stt`.\n\nAlthough there are calls to rcu_read_lock() in\nkvm_spapr_tce_attach_iommu_group() they are not sufficient to prevent\nthe UAF, because `stt` is used outside the locked regions.\n\nWith an artifcial delay after the fdput() and a userspace program which\ntriggers the race, KASAN detects the UAF:\n\n  BUG: KASAN: slab-use-after-free in kvm_spapr_tce_attach_iommu_group+0x298/0x720 [kvm]\n  Read of size 4 at addr c000200027552c30 by task kvm-vfio/2505\n  CPU: 54 PID: 2505 Comm: kvm-vfio Not tainted 6.10.0-rc3-next-20240612-dirty #1\n  Hardware name: 8335-GTH POWER9 0x4e1202 opal:skiboot-v6.5.3-35-g1851b2a06 PowerNV\n  Call Trace:\n    dump_stack_lvl+0xb4/0x108 (unreliable)\n    print_report+0x2b4/0x6ec\n    kasan_report+0x118/0x2b0\n    __asan_load4+0xb8/0xd0\n    kvm_spapr_tce_attach_iommu_group+0x298/0x720 [kvm]\n    kvm_vfio_set_attr+0x524/0xac0 [kvm]\n    kvm_device_ioctl+0x144/0x240 [kvm]\n    sys_ioctl+0x62c/0x1810\n    system_call_exception+0x190/0x440\n    system_call_vectored_common+0x15c/0x2ec\n  ...\n  Freed by task 0:\n   ...\n   kfree+0xec/0x3e0\n   release_spapr_tce_table+0xd4/0x11c [kvm]\n   rcu_core+0x568/0x16a0\n   handle_softirqs+0x23c/0x920\n   do_softirq_own_stack+0x6c/0x90\n   do_softirq_own_stack+0x58/0x90\n   __irq_exit_rcu+0x218/0x2d0\n   irq_exit+0x30/0x80\n   arch_local_irq_restore+0x128/0x230\n   arch_local_irq_enable+0x1c/0x30\n   cpuidle_enter_state+0x134/0x5cc\n   cpuidle_enter+0x6c/0xb0\n   call_cpuidle+0x7c/0x100\n   do_idle+0x394/0x410\n   cpu_startup_entry+0x60/0x70\n   start_secondary+0x3fc/0x410\n   start_secondary_prolog+0x10/0x14\n\nFix it by delaying the fdput() until `stt` is no longer in use, which\nis effectively the entire function. To keep the patch minimal add a call\nto fdput() at each of the existing return paths. Future work can convert\nthe function to goto or __cleanup style cleanup.\n\nWith the fix in place the test case no longer triggers the UAF."
            }
        ]
    },
    "problemtype": {
        "problemtype_data": [
            {
                "description": [
                    {
                        "lang": "eng",
                        "value": "n/a"
                    }
                ]
            }
        ]
    },
    "affects": {
        "vendor": {
            "vendor_data": [
                {
                    "vendor_name": "Linux",
                    "product": {
                        "product_data": [
                            {
                                "product_name": "Linux",
                                "version": {
                                    "version_data": [
                                        {
                                            "version_affected": "<",
                                            "version_name": "1da177e4c3f4",
                                            "version_value": "be847bb20c80"
                                        },
                                        {
                                            "version_value": "not down converted",
                                            "x_cve_json_5_version_data": {
                                                "versions": [
                                                    {
                                                        "version": "5.4.281",
                                                        "lessThanOrEqual": "5.4.*",
                                                        "status": "unaffected",
                                                        "versionType": "custom"
                                                    },
                                                    {
                                                        "version": "5.10.223",
                                                        "lessThanOrEqual": "5.10.*",
                                                        "status": "unaffected",
                                                        "versionType": "custom"
                                                    },
                                                    {
                                                        "version": "5.15.164",
                                                        "lessThanOrEqual": "5.15.*",
                                                        "status": "unaffected",
                                                        "versionType": "custom"
                                                    },
                                                    {
                                                        "version": "6.1.101",
                                                        "lessThanOrEqual": "6.1.*",
                                                        "status": "unaffected",
                                                        "versionType": "custom"
                                                    },
                                                    {
                                                        "version": "6.6.42",
                                                        "lessThanOrEqual": "6.6.*",
                                                        "status": "unaffected",
                                                        "versionType": "custom"
                                                    },
                                                    {
                                                        "version": "6.9.11",
                                                        "lessThanOrEqual": "6.9.*",
                                                        "status": "unaffected",
                                                        "versionType": "custom"
                                                    },
                                                    {
                                                        "version": "6.10",
                                                        "lessThanOrEqual": "*",
                                                        "status": "unaffected",
                                                        "versionType": "original_commit_for_fix"
                                                    }
                                                ],
                                                "defaultStatus": "affected"
                                            }
                                        }
                                    ]
                                }
                            }
                        ]
                    }
                }
            ]
        }
    },
    "references": {
        "reference_data": [
            {
                "url": "https://git.kernel.org/stable/c/be847bb20c809de8ac124431b556f244400b0491",
                "refsource": "MISC",
                "name": "https://git.kernel.org/stable/c/be847bb20c809de8ac124431b556f244400b0491"
            },
            {
                "url": "https://git.kernel.org/stable/c/4cdf6926f443c84f680213c7aafbe6f91a5fcbc0",
                "refsource": "MISC",
                "name": "https://git.kernel.org/stable/c/4cdf6926f443c84f680213c7aafbe6f91a5fcbc0"
            },
            {
                "url": "https://git.kernel.org/stable/c/b26c8c85463ef27a522d24fcd05651f0bb039e47",
                "refsource": "MISC",
                "name": "https://git.kernel.org/stable/c/b26c8c85463ef27a522d24fcd05651f0bb039e47"
            },
            {
                "url": "https://git.kernel.org/stable/c/5f856023971f97fff74cfaf21b48ec320147b50a",
                "refsource": "MISC",
                "name": "https://git.kernel.org/stable/c/5f856023971f97fff74cfaf21b48ec320147b50a"
            },
            {
                "url": "https://git.kernel.org/stable/c/82c7a4cf14aa866f8f7f09e662b02eddc49ee0bf",
                "refsource": "MISC",
                "name": "https://git.kernel.org/stable/c/82c7a4cf14aa866f8f7f09e662b02eddc49ee0bf"
            },
            {
                "url": "https://git.kernel.org/stable/c/9975f93c760a32453d7639cf6fcf3f73b4e71ffe",
                "refsource": "MISC",
                "name": "https://git.kernel.org/stable/c/9975f93c760a32453d7639cf6fcf3f73b4e71ffe"
            },
            {
                "url": "https://git.kernel.org/stable/c/a986fa57fd81a1430e00b3c6cf8a325d6f894a63",
                "refsource": "MISC",
                "name": "https://git.kernel.org/stable/c/a986fa57fd81a1430e00b3c6cf8a325d6f894a63"
            }
        ]
    },
    "generator": {
        "engine": "bippy-c9c4e1df01b2"
    }
}