Linux Kernel IOMMU PASID Table Cache Flush Vulnerability

A vulnerability exists in the Linux kernel's IOMMU (Input-Output Memory Management Unit) handling of Process Address Space ID (PASID) tables. When a new, zero-initialized PASID table is allocated, the address is written to the PASID directory entry before the CPU cache is flushed. This creates a risk that the PASID table could be used by non-coherent IOMMU hardware while it still contains random, uninitialized data. The issue has been addressed by ensuring that the cache is flushed after the PASID table is allocated but before it is used.

Impact

The vulnerability could lead to the use of stale data in the PASID table, potentially causing incorrect behavior in IOMMU operations that rely on PASID management.

Reproduction

The vulnerability can be reproduced by allocating a PASID table and immediately writing its address to the PASID directory entry without first flushing the CPU cache. This can be done by modifying the IOMMU driver's handling of PASID tables to introduce a delay between the allocation and the cache flush, allowing non-coherent IOMMU hardware to access the uninitialized data.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched version are available on the Linux kernel's official website.