Linux Kernel IOMMU SVA Use-After-Free Vulnerability Leading to Crash

A use-after-free vulnerability has been identified in the Linux kernel's IOMMU SVA (Shared Virtual Addressing) implementation. This issue arises in the 'iommu_sva_unbind_device' function, where the 'domain->mm->iommu_mm' pointer can be accessed after it has been freed by the 'iommu_domain_free' function. This improper access can dereference a freed memory structure, causing a crash. The vulnerability affects the Linux kernel stable tree.

Impact

Exploitation of this vulnerability leads to a crash of the Linux kernel, causing a denial of service condition.

Reproduction

The vulnerability can be reproduced by unbinding a device from the IOMMU SVA domain in a scenario where the IOMMU domain has already been freed. This can be done by manipulating the reference counts and the list management of the IOMMU SVA domains, which can be achieved through a series of device unbinding operations that bypass the proper synchronization and reference management, ultimately causing the 'iommu_sva_unbind_device' function to access a freed 'mm' structure.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been patched. The specific commit that addresses this issue is '06e14c36e20b48171df13d51b89fe67c594ed07a', which is available in the Linux kernel stable tree.