Entreprise française de cybersécurité depuis 2004
☎ 03 60 47 09 81 - info@securiteinfo.com
☎ 03 60 47 09 81 - info@securiteinfo.com
In the Linux kernel, the following vulnerability has been resolved:vhost_vdpa: assign irq bypass producer token correctlyWe used to call irq_bypass_unregister_producer() invhost_vdpa_setup_vq_irq() which is problematic as we don't know if thetoken pointer is still valid or not.Actually, we use the eventfd_ctx as the token so the life cycle of thetoken should be bound to the VHOST_SET_VRING_CALL instead ofvhost_vdpa_setup_vq_irq() which could be called by set_status().Fixing this by setting up irq bypass producer's token when handlingVHOST_SET_VRING_CALL and un-registering the producer before callingvhost_vring_ioctl() to prevent a possible use after free as eventfdcould have been released in vhost_vring_ioctl(). And such registeringand unregistering will only be done if DRIVER_OK is set.
No PoCs from references.
- https://github.com/fkie-cad/nvd-json-data-feeds
- https://github.com/w4zu/Debian_security