漏洞标题
iommu:不要预留长度为 0 的 IOMMU 地域
漏洞描述信息
在Linux内核中,已修复以下漏洞:
iommu:不要为长度为0的IOMMU地址区域预留空间
当引导程序/固件没有设置帧缓冲区时,它们的地址和大小在“iommu-addresses”属性中均为0。如果对IOMMU地址区域预留了长度为0的空间,那么最终会损坏IOMMU地址树,导致条目中的pfn_hi小于pfn_lo。
如果我们打算在内核中不使用帧缓冲驱动显示,则这会导致显示IOMMU映射失败,因为在传递地址和长度为0时,整个有效的IOMMU地址空间都被预留了。
理想的解决方案应该是固件移除“iommu-addresses”属性及其对应的“memory-region”,如果不存在显示。但内核应该能够处理这种情况,通过检查IOMMU地址区域的大小,并在大小为0时跳过IOMMU地址预留。此外,还应添加警告,提示固件正在请求长度为0的IOMMU地址区域预留。
CVSS信息
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
漏洞类别
跨界内存写
漏洞标题
iommu: Don't reserve 0-length IOVA region
漏洞描述信息
In the Linux kernel, the following vulnerability has been resolved:
iommu: Don't reserve 0-length IOVA region
When the bootloader/firmware doesn't setup the framebuffers, their
address and size are 0 in "iommu-addresses" property. If IOVA region is
reserved with 0 length, then it ends up corrupting the IOVA rbtree with
an entry which has pfn_hi < pfn_lo.
If we intend to use display driver in kernel without framebuffer then
it's causing the display IOMMU mappings to fail as entire valid IOVA
space is reserved when address and length are passed as 0.
An ideal solution would be firmware removing the "iommu-addresses"
property and corresponding "memory-region" if display is not present.
But the kernel should be able to handle this by checking for size of
IOVA region and skipping the IOVA reservation if size is 0. Also, add
a warning if firmware is requesting 0-length IOVA region reservation.
CVSS信息
N/A
漏洞类别
N/A
漏洞标题
Linux kernel 安全漏洞
漏洞描述信息
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux Kernel 存在安全漏洞,该漏洞源于当引导加载程序/固件未设置帧缓冲区时,可能导致 IOVA rbtree 被破坏。
CVSS信息
N/A
漏洞类别
其他