CVE-2024-57999 in Linuxinfo

Summary

by MITRE • 02/27/2025

In the Linux kernel, the following vulnerability has been resolved:

powerpc/pseries/iommu: IOMMU incorrectly marks MMIO range in DDW

Power Hypervisor can possibily allocate MMIO window intersecting with Dynamic DMA Window (DDW) range, which is over 32-bit addressing.

These MMIO pages needs to be marked as reserved so that IOMMU doesn't map DMA buffers in this range.

The current code is not marking these pages correctly which is resulting in LPAR to OOPS while booting. The stack is at below

BUG: Unable to handle kernel data access on read at 0xc00800005cd40000 Faulting instruction address: 0xc00000000005cdac Oops: Kernel access of bad area, sig: 11 [#1]
LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries Modules linked in: af_packet rfkill ibmveth(X) lpfc(+) nvmet_fc nvmet nvme_keyring crct10dif_vpmsum nvme_fc nvme_fabrics nvme_core be2net(+) nvme_auth rtc_generic nfsd auth_rpcgss nfs_acl lockd grace sunrpc fuse configfs ip_tables x_tables xfs libcrc32c dm_service_time ibmvfc(X) scsi_transport_fc vmx_crypto gf128mul crc32c_vpmsum dm_mirror dm_region_hash dm_log dm_multipath dm_mod sd_mod scsi_dh_emc scsi_dh_rdac scsi_dh_alua t10_pi crc64_rocksoft_generic crc64_rocksoft sg crc64 scsi_mod Supported: Yes, External CPU: 8 PID: 241 Comm: kworker/8:1 Kdump: loaded Not tainted 6.4.0-150600.23.14-default #1 SLE15-SP6 b44ee71c81261b9e4bab5e0cde1f2ed891d5359b Hardware name: IBM,9080-M9S POWER9 (raw) 0x4e2103 0xf000005 of:IBM,FW950.B0 (VH950_149) hv:phyp pSeries Workqueue: events work_for_cpu_fn NIP: c00000000005cdac LR: c00000000005e830 CTR: 0000000000000000 REGS: c00001400c9ff770 TRAP: 0300 Not tainted (6.4.0-150600.23.14-default) MSR: 800000000280b033 CR: 24228448 XER: 00000001 CFAR: c00000000005cdd4 DAR: c00800005cd40000 DSISR: 40000000 IRQMASK: 0 GPR00: c00000000005e830 c00001400c9ffa10 c000000001987d00 c00001400c4fe800 GPR04: 0000080000000000 0000000000000001 0000000004000000 0000000000800000 GPR08: 0000000004000000 0000000000000001 c00800005cd40000 ffffffffffffffff GPR12: 0000000084228882 c00000000a4c4f00 0000000000000010 0000080000000000 GPR16: c00001400c4fe800 0000000004000000 0800000000000000 c00000006088b800 GPR20: c00001401a7be980 c00001400eff3800 c000000002a2da68 000000000000002b GPR24: c0000000026793a8 c000000002679368 000000000000002a c0000000026793c8 GPR28: 000008007effffff 0000080000000000 0000000000800000 c00001400c4fe800 NIP [c00000000005cdac] iommu_table_reserve_pages+0xac/0x100
LR [c00000000005e830] iommu_init_table+0x80/0x1e0
Call Trace: [c00001400c9ffa10] [c00000000005e810] iommu_init_table+0x60/0x1e0 (unreliable)
[c00001400c9ffa90] [c00000000010356c] iommu_bypass_supported_pSeriesLP+0x9cc/0xe40
[c00001400c9ffc30] [c00000000005c300] dma_iommu_dma_supported+0xf0/0x230
[c00001400c9ffcb0] [c00000000024b0c4] dma_supported+0x44/0x90
[c00001400c9ffcd0] [c00000000024b14c] dma_set_mask+0x3c/0x80
[c00001400c9ffd00] [c0080000555b715c] be_probe+0xc4/0xb90 [be2net]
[c00001400c9ffdc0] [c000000000986f3c] local_pci_probe+0x6c/0x110
[c00001400c9ffe40] [c000000000188f28] work_for_cpu_fn+0x38/0x60
[c00001400c9ffe70] [c00000000018e454] process_one_work+0x314/0x620
[c00001400c9fff10] [c00000000018f280] worker_thread+0x2b0/0x620
[c00001400c9fff90] [c00000000019bb18] kthread+0x148/0x150
[c00001400c9fffe0] [c00000000000ded8] start_kernel_thread+0x14/0x18

There are 2 issues in the code

1. The index is "int" while the address is "unsigned long". This results in negative value when setting the bitmap.

2. The DMA offset is page shifted but the MMIO range is used as-is (64-bit address). MMIO address needs to be page shifted as well.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 05/24/2026

The vulnerability described in CVE-2024-57999 affects the Linux kernel's implementation of IOMMU handling on PowerPC platforms, specifically within the pseries architecture. This issue manifests during the boot process of LPAR (Logical Partition) systems where the Power Hypervisor attempts to allocate MMIO (Memory-Mapped I/O) windows that may intersect with Dynamic DMA Windows (DDW) ranges exceeding 32-bit addressing capabilities. The core problem lies in the improper marking of MMIO pages as reserved, which should prevent the IOMMU from mapping DMA buffers in these critical memory regions. When this reservation fails, the kernel experiences a data access violation resulting in a kernel oops and system crash, as evidenced by the stack trace showing the fault occurring at address 0xc00800005cd40000.

The technical flaw stems from two distinct code issues within the IOMMU implementation. The first issue involves a type mismatch where an integer index variable is used to calculate bitmap positions for memory ranges, while the actual memory addresses are represented as unsigned long values. This mismatch causes negative index calculations when dealing with high memory addresses, leading to corrupted bitmap states and incorrect memory reservation handling. The second issue occurs during address arithmetic where the DMA offset is properly page-shifted, but the MMIO range addresses are not subjected to the same page shift operation. This discrepancy results in incorrect memory range calculations and improper identification of MMIO regions that should be reserved from DMA mapping operations, creating a scenario where DMA operations might attempt to access MMIO space, causing system instability.

The operational impact of this vulnerability is severe as it directly affects system boot stability and overall reliability of PowerPC-based LPAR environments. When the kernel encounters this condition during early boot stages, particularly when initializing DMA capabilities for network devices like the be2net driver, the system will crash with a kernel oops error, preventing successful system boot. This vulnerability affects systems running Linux kernel versions that include the problematic IOMMU implementation, specifically impacting enterprise PowerPC servers and virtualization environments where DDW and MMIO window management are critical for proper system operation. The issue is particularly dangerous in production environments where system uptime and reliability are paramount, as it can cause complete system failures during critical boot phases.

Mitigation strategies for this vulnerability require immediate kernel updates addressing the specific IOMMU handling code in the powerpc/pseries subsystem. System administrators should prioritize applying the latest kernel patches that correct the integer type handling and ensure proper page shifting for both DMA offsets and MMIO addresses. Additionally, implementing proper memory reservation checks and validating MMIO window allocations against DDW ranges can provide additional protection. Organizations should also consider monitoring for kernel oops events related to IOMMU operations and DMA initialization, as these may indicate the vulnerability's presence. The fix should align with industry best practices for memory management and IOMMU implementation, following guidelines established by standards such as CWE-129 for improper handling of memory ranges and ATT&CK technique T1059 for kernel-level privilege escalation vectors that could arise from such memory corruption issues.

Responsible

Linux

Reservation

02/27/2025

Disclosure

02/27/2025

Moderation

accepted

CPE

ready

EPSS

0.00206

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!