CVE-2024-47748

HIGH

Linux Kernel 5.9-6.11.1 - Use-After-Free in vhost_vdpa IRQ Bypass Producer Token Handling

Title source: llm
STIX 2.1

Description

In the Linux kernel, the following vulnerability has been resolved: vhost_vdpa: assign irq bypass producer token correctly We used to call irq_bypass_unregister_producer() in vhost_vdpa_setup_vq_irq() which is problematic as we don't know if the token pointer is still valid or not. Actually, we use the eventfd_ctx as the token so the life cycle of the token should be bound to the VHOST_SET_VRING_CALL instead of vhost_vdpa_setup_vq_irq() which could be called by set_status(). Fixing this by setting up irq bypass producer's token when handling VHOST_SET_VRING_CALL and un-registering the producer before calling vhost_vring_ioctl() to prevent a possible use after free as eventfd could have been released in vhost_vring_ioctl(). And such registering and unregistering will only be done if DRIVER_OK is set.

References (9)

Core 9

Scores

CVSS v3 7.8
EPSS 0.0021
EPSS Percentile 11.5%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-416
Status published
Products (23)
linux/Kernel 5.11.0 - 5.15.168linux
linux/Kernel 5.16.0 - 6.1.113linux
linux/Kernel 5.9.0 - 5.10.227linux
linux/Kernel 6.11.0 - 6.11.2linux
linux/Kernel 6.2.0 - 6.6.54linux
linux/Kernel 6.7.0 - 6.10.13linux
Linux/Linux < 5.9
Linux/Linux 2cf1ba9a4d15cb78b96ea97f727b93382c3f9a60 - 02e9e9366fefe461719da5d173385b6685f70319
Linux/Linux 2cf1ba9a4d15cb78b96ea97f727b93382c3f9a60 - 0c170b1e918b9afac25e2bbd01eaa2bfc0ece8c0
Linux/Linux 2cf1ba9a4d15cb78b96ea97f727b93382c3f9a60 - 7cf2fb51175cafe01df8c43fa15a06194a59c6e2
... and 13 more
Published Oct 21, 2024
Tracked Since Feb 18, 2026