1211597 – (CVE-2023-33250) VUL-0: CVE-2023-33250: kernel-source-azure,kernel-source-rt,kernel-source: use-after-free in iopt_unmap_iova_range in drivers/iommu/iommufd/io_pagetable.c

Bug 1211597 (CVE-2023-33250) - VUL-0: CVE-2023-33250: kernel-source-azure,kernel-source-rt,kernel-source: use-after-free in iopt_unmap_iova_range in drivers/iommu/iommufd/io_pagetable.c

Summary: VUL-0: CVE-2023-33250: kernel-source-azure,kernel-source-rt,kernel-source: us...

Status:	RESOLVED FIXED

Alias:	CVE-2023-33250

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/367082/
Whiteboard:	CVSSv3.1:SUSE:CVE-2023-33250:5.5:(AV:...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2023-05-22 12:51 UTC by Thomas Leroy
Modified:	2024-05-07 11:39 UTC (History)
CC List:	6 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Thomas Leroy 2023-05-22 12:51:26 UTC

CVE-2023-33250

The Linux kernel 6.3 has a use-after-free in iopt_unmap_iova_range in
drivers/iommu/iommufd/io_pagetable.c.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-33250
https://www.cve.org/CVERecord?id=CVE-2023-33250
http://www.cvedetails.com/cve/CVE-2023-33250/
https://groups.google.com/g/syzkaller/c/G6P9yecsTZ8/m/iiqFVOM9BwAJ
https://lore.kernel.org/linux-iommu/ZDabT%2FuRl%2FjxFhm0@ip-172-31-85-199.ec2.internal/T/

Comment 1 Michal Koutný 2023-05-22 17:18:31 UTC

Reassigning to a concrete person to ensure progress [1] (feel free to pass to next one), see also the process at [2].
 
Looks like an syzbot report with no identified fix so far. Might be interesting to watch for Jöerg.
 
[1] https://confluence.suse.com/display/KSS/Kernel+Security+Sentinel
[2] https://wiki.suse.net/index.php/SUSE-Labs/Kernel/Security

Comment 3 Thomas Leroy 2023-05-23 14:07:43 UTC

51fe6141f0f6 (iommufd: Data structure to provide IOVA to PFN mapping) probably introduced the bug.

This commit is very recent and would only make stable branch affected.

Comment 4 Michal Hocko 2023-07-07 13:32:53 UTC

Joerg, are you aware of any fix for this report? Also is it really worth tracking as security relevant?

Comment 5 Joerg Roedel 2023-08-14 09:18:23 UTC

Upstream fixes are:

dbe245cdf518 iommufd: Call iopt_area_contig_done() under the lock
804ca14d04df iommufd: Do not access the area pointer after unlocking

Both are already in the stable branch via Linux 6.4.4 and in master branch via upstream.

SLE branches are not affected as commit 51fe6141f0f6 is not included in any of them.

Comment 6 Joerg Roedel 2023-08-14 09:18:36 UTC

Assigning back.

Comment 7 Robert Frohl 2024-05-07 11:39:45 UTC

nothing to do