CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-38062: genirq/msi: Store the IOMMU IOVA directly in msi_desc instead of iommu_cookie

Description

In the Linux kernel, the following vulnerability has been resolved:

genirq/msi: Store the IOMMU IOVA directly in msi_desc instead of iommu_cookie

The IOMMU translation for MSI message addresses has been a 2-step process,
separated in time:

1) iommu_dma_prepare_msi(): A cookie pointer containing the IOVA address
is stored in the MSI descriptor when an MSI interrupt is allocated.

2) iommu_dma_compose_msi_msg(): this cookie pointer is used to compute a
translated message address.

This has an inherent lifetime problem for the pointer stored in the cookie
that must remain valid between the two steps. However, there is no locking
at the irq layer that helps protect the lifetime. Today, this works under
the assumption that the iommu domain is not changed while MSI interrupts
being programmed. This is true for normal DMA API users within the kernel,
as the iommu domain is attached before the driver is probed and cannot be
changed while a driver is attached.

Classic VFIO type1 also prevented changing the iommu domain while VFIO was
running as it does not support changing the "container" after starting up.

However, iommufd has improved this so that the iommu domain can be changed
during VFIO operation. This potentially allows userspace to directly race
VFIO_DEVICE_ATTACH_IOMMUFD_PT (which calls iommu_attach_group()) and
VFIO_DEVICE_SET_IRQS (which calls into iommu_dma_compose_msi_msg()).

This potentially causes both the cookie pointer and the unlocked call to
iommu...

Classification

CVE ID: CVE-2025-38062

Affected Products

Vendor: Linux

Product: Linux

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.02% (probability of being exploited)

EPSS Percentile: 2.95% (scored less or equal to compared to others)

EPSS Date: 2025-06-20 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2025-38062
https://git.kernel.org/stable/c/e4d3763223c7b72ded53425207075e7453b4e3d5
https://git.kernel.org/stable/c/ba41e4e627db51d914444aee0b93eb67f31fa330
https://git.kernel.org/stable/c/53f42776e435f63e5f8e61955e4c205dbfeaf524
https://git.kernel.org/stable/c/856152eb91e67858a09e30a7149a1f29b04b7384
https://git.kernel.org/stable/c/1f7df3a691740a7736bbc99dc4ed536120eb4746

Timeline