CVE-2024-26620: Linux Kernel S390/VFIO-AP Vulnerability Resolved with Complete AP Matrix Filtering

In the Linux kernel, a vulnerability concerning the s390/vfio-ap function has been resolved. This vulnerability is now assigned the CVE identifier CVE-2024-26620. The issue involves the improper filtering of the entire AP matrix, which could lead to unauthorized access to devices by a guest.

The function in question is the vfio_ap_mdev_filter_matrix, which is called every time a new adapter or domain is assigned to the mdev. This function updates the guest's AP configuration by filtering the matrix of adapters and domains assigned to the mdev.

Previously, when an adapter or domain was assigned, only the APQNs associated with the APID of the new adapter or APQI of the new domain were inspected. If an APQN did not reference a queue device bound to the vfio_ap device driver, its APID would be filtered from the mdev's matrix when updating the guest's AP configuration.

This inspection only involves the APID of the new adapter or APQI of the new domain, which can result in passing AP queues through to a guest that is not bound to the vfio_ap device driver under certain conditions. A clear illustration of this can be observed in the following example:

guest's AP configuration (all also assigned to the mdev's matrix):
14.0004
14.0005
14.0006
16.0004
16.0005
16.0006

unassign domain 4
unbind queue 16.0005
assign domain 4

16.0004

Both of these APQNs reference queue devices that are bound to the vfio_ap device driver; therefore, nothing will be filtered from the mdev's matrix when updating the guest's AP configuration. However, queue 16.0005 will get passed through despite not being bound to the driver. This violates the Linux device model requirement, which mandates that a guest should only have access to devices bound to the device driver facilitating their pass-through.

In order to address this issue, the entire AP matrix will now be inspected for every adapter and domain assigned to the mdev when filtering the mdev's matrix. This update ensures that unauthorized devices do not get passed through to a guest, adhering to the Linux device model requirements and addressing CVE-2024-26620.

For more information and to view the original references for this issue, you can follow the links below:

- Linux kernel source code
- vfio_ap source code

The resolution of this vulnerability highlights the importance of thorough code analysis and the continuous improvement of the Linux kernel. Users are encouraged to keep their systems up-to-date with the latest patches and security updates to ensure the highest level of protection.

Timeline

Published on: 03/11/2024 18:15:19 UTC
Last modified on: 03/12/2024 12:40:13 UTC