CVE-2024-47748

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 6.6.58

Description The issue concerns the Linux kernel, specifically the vhost vdpa component. It involves the incorrect assignment of the irq bypass producer token. The problem arises because the irq bypass unregister producer() function is called in vhost vdpa setup vq irq(), which can lead to issues with the token pointer's validity. The token's lifecycle should be tied to VHOST SET VRING CALL instead of vhost vdpa setup vq irq(). To fix this, the irq bypass producer's token is set up when handling VHOST SET VRING CALL, and the producer is unregistered before calling vhost vring ioctl() to prevent a possible use after free, as eventfd could have been released in vhost vring ioctl(). This registration and unregistration occur only if DRIVER OK is set.

Recommendations To resolve the issue, update the Linux kernel to version 6.6.58 or later. As a temporary workaround, consider disabling the vhost vdpa setup vq irq() function until a patch is available. Restrict access to the vhost vdpa component to minimize the risk of exploitation. Avoid using the eventfd ctx as a token in the affected API endpoint until the issue is resolved.