CVE-2023-52455: Linux Kernel Vulnerability Resolved with IOVA Region Reservation Fix

A vulnerability has been discovered in the Linux kernel relating to IOMMU (Input/Output Memory Management Unit). The vulnerability has been assigned the identifier CVE-2023-52455 and is related to the reservation of -length IOVA (Input/Output Virtual Address) regions. This vulnerability could lead to corruption of the IOVA rbtree, with negative consequences for display driver mappings. In order to resolve this vulnerability, the kernel should check the size of the IOVA region and skip reservation if the size is . This post will provide a detailed explanation of the vulnerability, a code snippet demonstrating the fix, links to original references, and details on the exploit.

Vulnerability Details

The vulnerability begins when the bootloader/firmware doesn't set up the framebuffers, resulting in their address and size being in the "iommu-addresses" property. If the IOVA region is reserved with a length, it ends up corrupting the IOVA rbtree with an entry that has pfn_hi < pfn_lo. This can cause display IOMMU mappings to fail, as the entire valid IOVA space is reserved when the address and length are passed as .

Here is a brief code snippet demonstrating the fix

+		if (!size) {
+			pr_warn("iova reservation with size , skipping\n");
+			continue;
+		}

By checking the IOVA region's size and skipping the IOVA reservation if the size is , the kernel can prevent the described corruption from occurring. Additionally, a warning message should be added if the firmware requests a -length IOVA region reservation.

Original References

- Linux Git Commit: iommu: Don't reserve -length IOVA region
- Linux Kernel Mailing List: PATCH /6

Exploit Details

There has not been any publicly disclosed exploit for this vulnerability as of now. The impact of this vulnerability is limited to display driver mappings failing when the firmware is not properly handling the "iommu-addresses" property and the corresponding "memory-region" if no display is present. Although direct exploitation of this bug may not be severe, it could potentially be used as part of a chain of exploits.

Preventing this issue in the future would involve the firmware removing the "iommu-addresses" property and the corresponding "memory-region" if a display is not present. By removing these properties, the issue of -length IOVA region reservation requests would no longer exist, thus improving the overall security of the Linux kernel. However, it is important to note that the kernel should still be prepared to handle this situation by checking for the size of the IOVA region and skipping the reservation if necessary.

In conclusion, CVE-2023-52455 is a vulnerability in the Linux kernel that has been resolved through changes to IOVA region reservation. By checking for the size of the IOVA region and skipping reservation if the size is , the kernel can prevent corruption from occurring. In the future, removing the "iommu-addresses" property and the corresponding "memory-region" in the firmware can further strengthen the Linux kernel's security.

Timeline

Published on: 02/23/2024 15:15:08 UTC
Last modified on: 04/30/2024 19:34:34 UTC