Linux Kernel IOMMU Legacy Mode Page Table Dump Logic Vulnerability

A vulnerability in the Linux kernel's IOMMU (Input-Output Memory Management Unit) handling can lead to a general protection fault. This issue occurs in legacy mode when the Translation Type (TT) is not set to specific values, causing the SSPTPTR (a pointer to the page table) to be ignored. As a result, SSPTPTR may remain uninitialized or zero, potentially leading to a crash by accessing a non-canonical address. The vulnerability has been addressed by modifying the debugfs page table dump logic to avoid processing the page table when the TT is not in the required states.

Impact

Exploitation of this vulnerability can cause a general protection fault, leading to a crash of the affected process.

Reproduction

The vulnerability can be reproduced by using a Linux kernel version that is affected by this issue, specifically in the IOMMU legacy mode. When the Translation Type is set to values other than 00b or 01b, the SSPTPTR is ignored, which can result in an uninitialized or zero value. This condition triggers a general protection fault, likely due to accessing a non-canonical address, causing the system to oops and log an error.

Remediation

Users can upgrade to the latest stable version of the Linux kernel, where this vulnerability has been fixed. The specific commit addressing this issue is available in the Linux kernel stable tree.