CVE-2024-26709 in Linuxinfo

Summary

by MITRE • 04/03/2024

In the Linux kernel, the following vulnerability has been resolved:

powerpc/iommu: Fix the missing iommu_group_put() during platform domain attach

The function spapr_tce_platform_iommu_attach_dev() is missing to call iommu_group_put() when the domain is already set. This refcount leak shows up with BUG_ON() during DLPAR remove operation as:

KernelBug: Kernel bug in state 'None': kernel BUG at arch/powerpc/platforms/pseries/iommu.c:100! Oops: Exception in kernel mode, sig: 5 [#1]
LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=8192 NUMA pSeries Hardware name: IBM,9080-HEX POWER10 (raw) 0x800200 0xf000006 of:IBM,FW1060.00 (NH1060_016) hv:phyp pSeries NIP: c0000000000ff4d4 LR: c0000000000ff4cc CTR: 0000000000000000 REGS: c0000013aed5f840 TRAP: 0700 Tainted: G I (6.8.0-rc3-autotest-g99bd3cb0d12e) MSR: 8000000000029033 CR: 44002402 XER: 20040000 CFAR: c000000000a0d170 IRQMASK: 0 ... NIP iommu_reconfig_notifier+0x94/0x200 LR iommu_reconfig_notifier+0x8c/0x200 Call Trace: iommu_reconfig_notifier+0x8c/0x200 (unreliable) notifier_call_chain+0xb8/0x19c blocking_notifier_call_chain+0x64/0x98 of_reconfig_notify+0x44/0xdc of_detach_node+0x78/0xb0 ofdt_write.part.0+0x86c/0xbb8 proc_reg_write+0xf4/0x150 vfs_write+0xf8/0x488 ksys_write+0x84/0x140 system_call_exception+0x138/0x330 system_call_vectored_common+0x15c/0x2ec

The patch adds the missing iommu_group_put() call.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 08/03/2025

The vulnerability CVE-2024-26709 represents a critical reference counting issue within the Linux kernel's powerpc iommu subsystem, specifically affecting systems utilizing the spapr_tce_platform_iommu_attach_dev function. This flaw manifests as a memory leak through improper handling of iommu group reference counts during platform domain attachment operations, creating a condition where kernel resources remain unreleased even when they should be. The issue occurs in the pseries platform implementation of the powerpc architecture, where the kernel's iommu subsystem fails to properly decrement reference counters for iommu groups, leading to resource exhaustion and potential system instability.

The technical root cause stems from the missing iommu_group_put() function call within the spapr_tce_platform_iommu_attach_dev() implementation when a domain is already established. This function is responsible for releasing references to iommu groups, and its absence creates a reference count leak that accumulates over time. When the system performs dynamic partitioning operations such as DLPAR (Dynamic Logical Partitioning Remove) operations, the accumulated reference count errors trigger kernel BUG_ON() assertions, resulting in kernel oops and system crashes. The error occurs at arch/powerpc/platforms/pseries/iommu.c line 100, indicating a failure in the iommu_reconfig_notifier function that handles iommu configuration changes during device attachment and detachment.

The operational impact of this vulnerability extends beyond simple resource leaks to potentially destabilize entire systems running on powerpc platforms, particularly those utilizing virtualization and dynamic partitioning capabilities. When systems undergo DLPAR remove operations, which are common in high-availability environments and cloud computing infrastructures, the accumulated reference count errors cause kernel panics and system crashes. This vulnerability affects enterprise systems that rely on IBM Power10 and other powerpc-based hardware platforms, where dynamic device management and iommu operations are frequently performed during system maintenance and scaling operations. The vulnerability can be exploited by attackers who can trigger DLPAR operations, potentially leading to denial of service conditions that compromise system availability and stability.

This issue aligns with CWE-404, which addresses improper resource release or deadlock conditions, and represents a classic case of resource management failure in kernel space. The vulnerability also maps to ATT&CK technique T1490, as it can lead to system instability and denial of service conditions that affect system availability. The patch implementation addresses this by adding the missing iommu_group_put() call, ensuring proper reference count management during domain attachment operations. This fix follows established kernel development practices for resource management and adheres to the principle of proper reference counting in concurrent kernel subsystems. Organizations should prioritize applying this patch to systems running kernel versions affected by CVE-2024-26709, particularly those utilizing powerpc platforms with dynamic partitioning capabilities. The vulnerability demonstrates the critical importance of proper reference counting in kernel subsystems and highlights the need for thorough testing of iommu operations during system lifecycle management processes.

Reservation

02/19/2024

Disclosure

04/03/2024

Moderation

accepted

CPE

ready

EPSS

0.00195

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!