Linux Kernel GICv3 ITS Driver Memory Address Truncation Vulnerability on 32-bit ARM LPAE

A vulnerability in the Linux kernel's GICv3 ITS driver can lead to memory address truncation on 32-bit ARM machines with LPAE enabled. In this configuration, low memory allocations can be backed by physical addresses above the 32-bit limit, causing the QEMU virtual model to crash. The issue arises because the ITS driver stores physical addresses in a 32-bit 'unsigned long' variable, which is inadequate for addresses above 4GB. The driver needs to be updated to use the correct data type for physical addresses, similar to the GICv5 driver, which already uses 64-bit variables. This vulnerability affects the Linux kernel stable tree.

Impact

The vulnerability can cause the QEMU virtual model to crash when using the GICv3 ITS driver, disrupting the operation of a virtio-based guest.

Reproduction

The vulnerability can be reproduced on a 32-bit machine with CONFIG_ARM_LPAE enabled. When the system is configured to allocate low memory above the 32-bit address limit, the GICv3 ITS driver will crash. This can be tested by running a QEMU virtual machine with a 32-bit guest that uses the GICv3 ITS driver.

Remediation

The vulnerability has been addressed in the Linux kernel. Users should upgrade to the latest version of the stable Linux kernel where this issue has been fixed.