Linux Kernel IOMMU Shared Virtual Addressing Vulnerability on x86 Architecture

A vulnerability in the Linux kernel's IOMMU Shared Virtual Addressing (SVA) implementation on x86 architecture can lead to use-after-free and write-after-free conditions. This issue arises because the IOMMU can cache kernel page table entries. When a page is freed and reallocated, the IOMMU may still hold onto stale, incorrect entries. Exploitation of this vulnerability could result in privilege escalation or data corruption. The problem is exacerbated by the lack of a notification mechanism for changes in kernel page tables, leaving the IOMMU with outdated information that could be misinterpreted as valid, potentially allowing access to unauthorized memory or resources.

Impact

Exploitation can lead to use-after-free and write-after-free conditions, causing arbitrary physical memory DMA access, privilege escalation, or data corruption.

Reproduction

The vulnerability can be reproduced by enabling IOMMU Shared Virtual Addressing on an x86 system. When kernel page table pages are freed and later reallocated, the IOMMU may incorrectly cache the new data as valid page table entries. This can be verified by observing the IOMMU's handling of the cached entries, which may lead to unauthorized access or modifications in memory.

Remediation

The vulnerability has been addressed in the Linux kernel by introducing a deferred freeing mechanism for kernel page table pages. This allows the IOMMU to invalidate its caches before the page is reused, preventing the retention of stale entries. Users should upgrade to the latest version of the Linux kernel where this fix has been applied.