CVE-2024-35814: swiotlb: Fix double-allocation of slots due to broken alignment handling

Published May 17, 2024
·
Updated

In the Linux kernel, the following vulnerability has been resolved:

swiotlb: Fix double-allocation of slots due to broken alignment handling

Commit bbb73a103fbb ("swiotlb: fix a braino in the alignment check fix"), which was a fix for commit 0eee5ae10256 ("swiotlb: fix slot alignment checks"), causes a functional regression with vsock in a virtual machine using bouncing via a restricted DMA SWIOTLB pool.

When virtio allocates the virtqueues for the vsock device using dmaalloccoherent(), the SWIOTLB search can return page-unaligned allocations if 'area->index' was left unaligned by a previous allocation from the buffer:

# Final address in brackets is the SWIOTLB address returned to the caller | virtio-pci 0000:00:07.0: origaddr 0x0 allocsize 0x2000, iotlbalignmask 0x800 stride 0x2: got slot 1645-1649/7168 (0x98326800) | virtio-pci 0000:00:07.0: origaddr 0x0 allocsize 0x2000, iotlbalignmask 0x800 stride 0x2: got slot 1649-1653/7168 (0x98328800) | virtio-pci 0000:00:07.0: origaddr 0x0 allocsize 0x2000, iotlbalignmask 0x800 stride 0x2: got slot 1653-1657/7168 (0x9832a800)

This ends badly (typically buffer corruption and/or a hang) because swiotlballoc() is expecting a page-aligned allocation and so blindly returns a pointer to the 'struct page' corresponding to the allocation, therefore double-allocating the first half (2KiB slot) of the 4KiB page.

Fix the problem by treating the allocation alignment separately to any additional alignment requirements from the device, using the maximum of the two as the stride to search the buffer slots and taking care to ensure a minimum of page-alignment for buffers larger than a page.

This also resolves swiotlb allocation failures occuring due to the inclusion of ~PAGEMASK in 'iotlbalignmask' for large allocations and resulting in alignment requirements exceeding swiotlbmaxmappingsize().

Other sources

In the Linux kernel, the following vulnerability has been resolved:

swiotlb: Fix double-allocation of slots due to broken alignment handling

The Linux kernel CVE team has assigned CVE-2024-35814 to this issue.

Upstream advisory: https://lore.kernel.org/linux-cve-announce/2024051742-CVE-2024-35814-98c7@gregkh/T

Red Hat

Linux Kernel is vulnerable to a denial of service, caused by a double-allocation of slots due to broken alignment handling. By sending a specially crafted request, a local authenticated attacker could exploit this vulnerability to cause a denial of service condition.

IBM

Affected Software

12 affected componentsFixes available
IBM Security Verify Governance<=ISVG 10.0.2
IBM Security Verify Governance, Identity Manager Software Stack<=ISVG 10.0.2
IBM Security Verify Governance, Identity Manager Virtual Appliance<=ISVG 10.0.2
IBM Security Verify Governance Identity Manager Container<=ISVG 10.0.2
debian/linux
5.10.223-15.10.234-16.1.129-16.1.135-16.12.25-16.12.27-1
redhat/kernel<6.6.24
6.6.24
redhat/kernel<6.7.12
6.7.12
redhat/kernel<6.8.3
6.8.3
redhat/kernel<6.9
6.9
Linux Linux kernel>=6.3<6.6.24
Linux Linux kernel>=6.7<6.7.12
Linux Linux kernel>=6.8<6.8.3

Remediation

Patch Available

https://git.kernel.org/stable/c/04867a7a33324c9c562ee7949dbcaab7aaad1fb4

Patch Available

https://git.kernel.org/stable/c/3e7acd6e25ba77dde48c3b721c54c89cd6a10534

Patch Available

https://git.kernel.org/stable/c/777391743771040e12cc40d3d0d178f70c616491

Patch Available

https://git.kernel.org/stable/c/c88668aa6c1da240ea3eb4d128b7906e740d3cb8

Event History

May 17, 2024
CVE Published
via MITRE·01:23 PM
Data Sourced
via MITRE·01:23 PM
Description
Data Sourced
via NVD·02:15 PM
DescriptionSeverityWeakness
Data Sourced
via NVD·02:15 PM
RemedyAffected Software
Data Sourced
via Red Hat·11:34 PM
DescriptionSeverityAffected Software
Jun 8, 2024
Data Sourced
via Launchpad·01:18 AM
Description
Dec 1, 2024
Data Sourced
via Ubuntu·05:30 AM
RemedyDescriptionSeverityAffected Software

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2024-35814?

CVE-2024-35814 has been classified as a moderate severity vulnerability in the Linux kernel.

2

How do I fix CVE-2024-35814?

To mitigate CVE-2024-35814, upgrade your kernel package to versions 6.6.24, 6.7.12, 6.8.3, or 6.9 for Red Hat, or to the specified versions for Debian.

3

What type of vulnerability is CVE-2024-35814?

CVE-2024-35814 is a double-allocation vulnerability caused by broken alignment handling in the Linux kernel's swiotlb.

4

Which Linux kernel versions are affected by CVE-2024-35814?

Versions prior to 6.6.24, 6.7.12, 6.8.3, and 6.9 for Red Hat as well as specific versions of the Debian Linux package are affected by CVE-2024-35814.

5

Who reported CVE-2024-35814?

CVE-2024-35814 was reported and documented following a fix for a previous alignment check issue in the swiotlb module of the Linux kernel.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203