Linux Kernel IOMMU AMD Out-of-Bounds Read Vulnerability

A potential out-of-bounds read vulnerability has been identified in the Linux kernel's IOMMU AMD handling. The issue arises in the 'iommu_mmio_write()' function, which validates user-provided offsets based on the assumption of a 4-byte access. However, the corresponding 'iommu_mmio_show()' function performs an 8-byte read. This discrepancy allows a user to provide an offset that bypasses the check, leading to a 4-byte out-of-bounds read. The vulnerability affects the Linux kernel stable tree.

Impact

Exploitation of this vulnerability could lead to a memory read beyond the intended bounds, potentially allowing for information leakage or other memory-related issues.

Reproduction

The vulnerability can be reproduced by writing an offset to the 'iommu_mmio_write()' function that is equal to 'mmio_phys_end - 4'. This offset will pass the validation check but will cause an out-of-bounds read when 'iommu_mmio_show()' is called, due to the difference in read sizes.

Remediation

Users can upgrade to the patched version of the Linux kernel, which is available in the Linux kernel stable tree.