References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

Change History

In the Linux kernel, the following vulnerability has been resolved:

iommu/amd: Fix potential out-of-bounds read in iommu_mmio_show

In iommu_mmio_write(), it validates the user-provided offset with the
check: `iommu->dbg_mmio_offset > iommu->mmio_phys_end - 4`.
This assumes a 4-byte access. However, the corresponding
show handler, iommu_mmio_show(), uses readq() to perform an 8-byte
(64-bit) read.

If a user provides an offset equal to `mmio_phys_end - 4`, the check
passes, and will lead to a 4-byte out-of-bounds read.

Fix this by adjusting the boundary check to use sizeof(u64), which
corresponds to the size of the readq() operation.

https://git.kernel.org/stable/c/0ec4aaf5f3f559716a6559f3d6d9616e9470bed6

https://git.kernel.org/stable/c/a0c7005333f9a968abb058b1d77bbcd7fb7fd1e7

https://git.kernel.org/stable/c/b959df804c33913dbfdb90750f2d693502b3d126