CVE-2024-41070

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to 6.6.43

Description A use-after-free vulnerability in the kvm spapr tce attach iommu group() function in the Linux kernel allows an attacker to potentially impact the confidentiality, integrity, and availability of protected information. The vulnerability occurs when the function looks up stt from tablefd and continues to use it after doing fdput() on the returned fd, which can be closed by another thread, freeing stt. Although there are calls to rcu read lock() in kvm spapr tce attach iommu group(), they are not sufficient to prevent the use-after-free, as stt is used outside the locked regions. The issue can be detected by KASAN with an artificial delay after the fdput() and a userspace program that triggers the race.

Recommendations To resolve the issue, update the Linux kernel to version 6.6.43 or later. As a temporary workaround, consider delaying the fdput() until stt is no longer in use, which is effectively the entire kvm spapr tce attach iommu group() function. To keep the patch minimal, add a call to fdput() at each of the existing return paths. Future work can convert the function to goto or cleanup style cleanup.