Linux Kernel IOMMU NULL Pointer Dereference Vulnerability in Batch Carry Handling

A vulnerability in the Linux kernel's IOMMU (Input-Output Memory Management Unit) subsystem has been identified, specifically within the IOMMU file descriptor (iommufd) handling. The issue arises from incorrect management of the 'end' parameter during batch processing, which can lead to a NULL pointer dereference. This vulnerability was introduced in version 6.5.0-rc1 and affects the stable branch of the Linux kernel. The problem occurs when the 'end' parameter is not properly set, causing the batch processing to mishandle page frame numbers (PFNs). As a result, a test case designed to validate this functionality can intermittently fail, triggering a kernel panic due to a NULL pointer dereference. This issue has been documented in the Linux kernel's stable tree and is related to the management of PFN handling for IOMMU domains.

Impact

Exploitation of this vulnerability leads to a kernel NULL pointer dereference, causing a crash. The dereference occurs in the IOMMU file descriptor handling, specifically within the batch unpinning process, where the 'end' parameter is incorrectly managed. This mismanagement can disrupt the expected flow of data, particularly in how page frame numbers are handled, leading to the observed crash.

Reproduction

The vulnerability can be reproduced by running the Linux kernel version 6.5.0-rc1 with the IOMMU file descriptor self-test. This test case, 'iommufd_ioas.mock_domain.access_domain_destory', is designed to exercise the IOMMU domain access handling. However, due to the vulnerability, this test can occasionally fail, resulting in a kernel panic. The failure is caused by the test attempting to access a NULL pointer, which has not been properly initialized because the 'end' parameter in the batch processing was not correctly set. This can be observed in the kernel logs, where a NULL pointer dereference is reported, along with a page fault error indicating a supervisor read access violation in kernel mode.

Remediation

Users can upgrade to the latest stable version of the Linux kernel, where this vulnerability has been addressed. The specific commit that resolves this issue is available in the Linux kernel stable tree.