CVE-2025-38062 Information

Jun 19, 2025 cve

Description

In the Linux kernel the following vulnerability has been resolved:

genirq/msi: Store the IOMMU IOVA directly in msi_desc instead of iommu_cookie

The IOMMU translation for MSI message addresses has been a 2-step process separated in time:

  1. iommu_dma_prepare_msi(): A cookie pointer containing the IOVA address is stored in the MSI descriptor when an MSI interrupt is allocated.

  2. iommu_dma_compose_msi_msg(): this cookie pointer is used to compute a translated message address.

This has an inherent lifetime problem for the pointer stored in the cookie that must remain valid between the two steps. However there is no locking at the irq layer that helps protect the lifetime. Today this works under the assumption that the iommu domain is not changed while MSI interrupts being programmed. This is true for normal DMA API users within the kernel as the iommu domain is attached before the driver is probed and cannot be changed while a driver is attached.

Classic VFIO type1 also prevented changing the iommu domain while VFIO was running as it does not support changing the ## Reference https://git.kernel.org/stable/c/1f7df3a691740a7736bbc99dc4ed536120eb4746 https://git.kernel.org/stable/c/53f42776e435f63e5f8e61955e4c205dbfeaf524 https://git.kernel.org/stable/c/856152eb91e67858a09e30a7149a1f29b04b7384 https://git.kernel.org/stable/c/ba41e4e627db51d914444aee0b93eb67f31fa330 https://git.kernel.org/stable/c/e4d3763223c7b72ded53425207075e7453b4e3d5

CNNVD-202506-2197 (Published: 2025-06-18)

Share on: