CVE-2024-36884 in Linux
Summary
by MITRE • 05/30/2024
In the Linux kernel, the following vulnerability has been resolved:
iommu/arm-smmu: Use the correct type in nvidia_smmu_context_fault()
This was missed because of the function pointer indirection.
nvidia_smmu_context_fault() is also installed as a irq function, and the 'void *' was changed to a struct arm_smmu_domain. Since the iommu_domain is embedded at a non-zero offset this causes nvidia_smmu_context_fault() to miscompute the offset. Fixup the types.
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000120 Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault Data abort info: ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 user pgtable: 4k pages, 48-bit VAs, pgdp=0000000107c9f000 [0000000000000120] pgd=0000000000000000, p4d=0000000000000000
Internal error: Oops: 0000000096000004 [#1] SMP
Modules linked in: CPU: 1 PID: 47 Comm: kworker/u25:0 Not tainted 6.9.0-0.rc7.58.eln136.aarch64 #1 Hardware name: Unknown NVIDIA Jetson Orin NX/NVIDIA Jetson Orin NX, BIOS 3.1-32827747 03/19/2023 Workqueue: events_unbound deferred_probe_work_func pstate: 604000c9 (nZCv daIF +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : nvidia_smmu_context_fault+0x1c/0x158 lr : __free_irq+0x1d4/0x2e8 sp : ffff80008044b6f0 x29: ffff80008044b6f0 x28: ffff000080a60b18 x27: ffffd32b5172e970 x26: 0000000000000000 x25: ffff0000802f5aac x24: ffff0000802f5a30 x23: ffff0000802f5b60 x22: 0000000000000057 x21: 0000000000000000 x20: ffff0000802f5a00 x19: ffff000087d4cd80 x18: ffffffffffffffff x17: 6234362066666666 x16: 6630303078302d30 x15: ffff00008156d888 x14: 0000000000000000 x13: ffff0000801db910 x12: ffff00008156d6d0 x11: 0000000000000003 x10: ffff0000801db918 x9 : ffffd32b50f94d9c x8 : 1fffe0001032fda1 x7 : ffff00008197ed00 x6 : 000000000000000f x5 : 000000000000010e x4 : 000000000000010e x3 : 0000000000000000 x2 : ffffd32b51720cd8 x1 : ffff000087e6f700 x0 : 0000000000000057 Call trace: nvidia_smmu_context_fault+0x1c/0x158 __free_irq+0x1d4/0x2e8 free_irq+0x3c/0x80 devm_free_irq+0x64/0xa8 arm_smmu_domain_free+0xc4/0x158 iommu_domain_free+0x44/0xa0 iommu_deinit_device+0xd0/0xf8 __iommu_group_remove_device+0xcc/0xe0 iommu_bus_notifier+0x64/0xa8 notifier_call_chain+0x78/0x148 blocking_notifier_call_chain+0x4c/0x90 bus_notify+0x44/0x70 device_del+0x264/0x3e8 pci_remove_bus_device+0x84/0x120 pci_remove_root_bus+0x5c/0xc0 dw_pcie_host_deinit+0x38/0xe0 tegra_pcie_config_rp+0xc0/0x1f0 tegra_pcie_dw_probe+0x34c/0x700 platform_probe+0x70/0xe8 really_probe+0xc8/0x3a0 __driver_probe_device+0x84/0x160 driver_probe_device+0x44/0x130 __device_attach_driver+0xc4/0x170 bus_for_each_drv+0x90/0x100 __device_attach+0xa8/0x1c8 device_initial_probe+0x1c/0x30 bus_probe_device+0xb0/0xc0 deferred_probe_work_func+0xbc/0x120 process_one_work+0x194/0x490 worker_thread+0x284/0x3b0 kthread+0xf4/0x108 ret_from_fork+0x10/0x20 Code: a9b97bfd 910003fd a9025bf5 f85a0035 (b94122a1)
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 08/28/2025
The vulnerability described in CVE-2024-36884 resides within the Linux kernel's IOMMU subsystem, specifically within the ARM SMMU (System Memory Management Unit) driver implementation. This flaw manifests in the nvidia_smmu_context_fault() function which is designed to handle context faults in NVIDIA SMMU implementations. The core issue stems from a type mismatch that occurs due to function pointer indirection, where the function signature expects a void pointer but receives a struct arm_smmu_domain pointer. This discrepancy arises because the iommu_domain structure is embedded at a non-zero offset within the arm_smmu_domain structure, causing incorrect memory access calculations when the fault handler attempts to dereference the context.
The technical root cause of this vulnerability can be categorized under CWE-467, which addresses "Use of sizeof() on a Pointer Type" and CWE-825, which deals with "Expired Pointer Dereference." The flaw occurs during interrupt handling when the kernel attempts to process an SMMU context fault, leading to a NULL pointer dereference at virtual address 0x0000000000000120. The error trace indicates that the kernel's memory management system encounters a data abort during the execution of nvidia_smmu_context_fault(), specifically when the function tries to access memory through a miscomputed pointer. The ESR (Exception Syndrome Register) value of 0x96000004 confirms this is a data abort with a level 0 translation fault, indicating that the virtual address translation failed due to the incorrect pointer arithmetic.
This vulnerability presents a significant operational impact, particularly in embedded systems and edge computing platforms such as NVIDIA Jetson Orin NX devices where the kernel is running with aarch64 architecture. The NULL pointer dereference results in a kernel oops and can lead to system crashes or potential privilege escalation if exploited in a controlled environment. The flaw is particularly concerning because it occurs during device removal operations, specifically when the iommu_domain_free function attempts to clean up resources, and the kernel's device notifier chain processes the removal event. The call trace shows that the fault originates from the device_del function during PCI device removal, indicating that this vulnerability could be triggered during normal system operation when devices are hot-plugged or removed, potentially leading to denial of service conditions or system instability.
Mitigation strategies for CVE-2024-36884 should focus on ensuring proper type alignment and function signature consistency within the ARM SMMU driver implementation. The fix involves correcting the type handling in the nvidia_smmu_context_fault() function to properly account for the embedded structure offset when processing interrupt handlers. This aligns with ATT&CK technique T1068, which covers "Exploitation for Privilege Escalation" and T1499, covering "Endpoint Denial of Service" by ensuring proper memory access patterns. System administrators should prioritize updating to kernel versions that include the patched ARM SMMU driver code, particularly those addressing the type mismatch in function pointer handling. Additionally, monitoring for kernel oops messages and system crashes during device removal operations can help identify systems vulnerable to this issue. Organizations running critical infrastructure on affected platforms should implement proactive patch management policies and consider temporary workarounds such as disabling specific device drivers or implementing more robust error handling in device removal sequences to prevent exploitation of this vulnerability in production environments.