CVE-2024-26745: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: powerpc/pseries/iommu: IOMMU table is not initialized for kdump over SR-IOV When kdump kernel tries to copy dump data over SR-IOV, LPAR panics due to NULL pointer exception: Kernel attempted to read user page (0) - exploit attempt? (uid: 0) BUG: Kernel NULL pointer dereference on read at 0x00000000 Faulting instruction address: 0xc000000020847ad4 Oops: Kernel access of bad area, sig: 11 [#1] LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries Modules linked in: mlx5_core(+) vmx_crypto pseries_wdt papr_scm libnvdimm mlxfw tls psample sunrpc fuse overlay squashfs loop CPU: 12 PID: 315 Comm: systemd-udevd Not tainted 6.4.0-Test102+ #12 Hardware name: IBM,9080-HEX POWER10 (raw) 0x800200 0xf000006 of:IBM,FW1060.00 (NH1060_008) hv:phyp pSeries NIP: c000000020847ad4 LR: c00000002083b2dc CTR: 00000000006cd18c REGS: c000000029162ca0 TRAP: 0300 Not tainted (6.4.0-Test102+) MSR: 800000000280b033 <SF,VEC,VSX,EE,FP,ME,IR,DR,RI,LE> CR: 48288244 XER: 00000008 CFAR: c00000002083b2d8 DAR: 0000000000000000 DSISR: 40000000 IRQMASK: 1 ... NIP _find_next_zero_bit+0x24/0x110 LR bitmap_find_next_zero_area_off+0x5c/0xe0 Call Trace: dev_printk_emit+0x38/0x48 (unreliable) iommu_area_alloc+0xc4/0x180 iommu_range_alloc+0x1e8/0x580 iommu_alloc+0x60/0x130 iommu_alloc_coherent+0x158/0x2b0 dma_iommu_alloc_coherent+0x3c/0x50 dma_alloc_attrs+0x170/0x1f0 mlx5_cmd_init+0xc0/0x760 [mlx5_core] mlx5_function_setup+0xf0/0x510 [mlx5_core] mlx5_init_one+0x84/0x210 [mlx5_core] probe_one+0x118/0x2c0 [mlx5_core] local_pci_probe+0x68/0x110 pci_call_probe+0x68/0x200 pci_device_probe+0xbc/0x1a0 really_probe+0x104/0x540 __driver_probe_device+0xb4/0x230 driver_probe_device+0x54/0x130 __driver_attach+0x158/0x2b0 bus_for_each_dev+0xa8/0x130 driver_attach+0x34/0x50 bus_add_driver+0x16c/0x300 driver_register+0xa4/0x1b0 __pci_register_driver+0x68/0x80 mlx5_init+0xb8/0x100 [mlx5_core] do_one_initcall+0x60/0x300 do_init_module+0x7c/0x2b0 At the time of LPAR dump, before kexec hands over control to kdump kernel, DDWs (Dynamic DMA Windows) are scanned and added to the FDT. For the SR-IOV case, default DMA window "ibm,dma-window" is removed from the FDT and DDW added, for the device. Now, kexec hands over control to the kdump kernel. When the kdump kernel initializes, PCI busses are scanned and IOMMU group/tables created, in pci_dma_bus_setup_pSeriesLP(). For the SR-IOV case, there is no "ibm,dma-window". The original commit: b1fc44eaa9ba, fixes the path where memory is pre-mapped (direct mapped) to the DDW. When TCEs are direct mapped, there is no need to initialize IOMMU tables. iommu_table_setparms_lpar() only considers "ibm,dma-window" property when initiallizing IOMMU table. In the scenario where TCEs are dynamically allocated for SR-IOV, newly created IOMMU table is not initialized. Later, when the device driver tries to enter TCEs for the SR-IOV device, NULL pointer execption is thrown from iommu_area_alloc(). The fix is to initialize the IOMMU table with DDW property stored in the FDT. There are 2 points to remember: 1. For the dedicated adapter, kdump kernel would encounter both default and DDW in FDT. In this case, DDW property is used to initialize the IOMMU table. 2. A DDW could be direct or dynamic mapped. kdump kernel would initialize IOMMU table and mark the existing DDW as "dynamic". This works fine since, at the time of table initialization, iommu_table_clear() makes some space in the DDW, for some predefined number of TCEs which are needed for kdump to succeed.
AI Analysis
Technical Summary
CVE-2024-26745 is a medium-severity vulnerability in the Linux kernel affecting the powerpc/pseries architecture, specifically related to the IOMMU (Input-Output Memory Management Unit) initialization for kdump operations over SR-IOV (Single Root I/O Virtualization). The vulnerability arises because the IOMMU table is not properly initialized when the kdump kernel attempts to copy dump data over SR-IOV devices. This leads to a NULL pointer dereference and subsequent kernel panic (LPAR panic) due to a NULL pointer exception during the kdump process. The root cause is that the kdump kernel, during initialization, scans PCI buses and creates IOMMU groups/tables but only considers the "ibm,dma-window" property in the Flattened Device Tree (FDT) for IOMMU table initialization. In SR-IOV scenarios, the default DMA window property is removed and replaced by Dynamic DMA Windows (DDWs), which are not properly handled, resulting in an uninitialized IOMMU table. When the device driver tries to allocate TCEs (Translation Control Entries) for SR-IOV devices, the uninitialized table causes a NULL pointer dereference in iommu_area_alloc(), crashing the kernel. The fix involves initializing the IOMMU table with the DDW property stored in the FDT, handling both dedicated adapters with default and DDW properties, and marking DDWs as dynamic when appropriate. This vulnerability affects Linux kernel versions containing specific commits prior to the fix and is relevant for systems running on IBM POWER10 hardware using the pSeries platform with SR-IOV enabled devices, particularly Mellanox mlx5 network drivers. Exploitation requires local privileges (PR:H), no user interaction, and has a limited attack vector (local), resulting in denial of service (kernel panic) but no direct confidentiality or integrity impact. No known exploits are reported in the wild as of the publication date.
Potential Impact
For European organizations using IBM POWER10 hardware running Linux kernels with SR-IOV enabled devices, this vulnerability can cause system instability and denial of service during kdump operations, which are critical for capturing crash dumps and performing post-mortem analysis. This can delay incident response and forensic investigations after system failures. Organizations relying on high-availability systems with SR-IOV network devices, especially in data centers and cloud environments, may experience unexpected LPAR panics, leading to downtime and potential disruption of services. While the vulnerability does not directly expose data confidentiality or integrity, the availability impact can affect critical infrastructure, financial services, telecommunications, and research institutions that depend on POWER architecture servers. The vulnerability is particularly relevant for environments that use kdump for crash recovery and debugging, as the failure in kdump can hinder root cause analysis and prolong recovery times. Given the medium severity and local privilege requirement, the threat is more significant in environments where multiple users or processes have elevated privileges or where attackers have already gained some level of access.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address CVE-2024-26745 as soon as they become available from trusted Linux distributions or the kernel mainline. 2. For organizations using custom or embedded Linux kernels on IBM POWER10 hardware, ensure kernel versions include the fix for proper IOMMU table initialization with DDW properties. 3. Review and audit SR-IOV device configurations and ensure that kdump is properly configured and tested in the environment to verify that crash dumps can be collected without triggering kernel panics. 4. Limit local privileged access to trusted administrators only, reducing the risk of exploitation by unauthorized users. 5. Implement robust monitoring of kernel logs and system stability to detect early signs of kernel panics or IOMMU-related errors. 6. Consider fallback or alternative crash dump mechanisms if kdump reliability is critical and immediate patching is not feasible. 7. Coordinate with hardware vendors (e.g., IBM, Mellanox) for firmware and driver updates that may complement kernel fixes and improve SR-IOV stability. 8. Document and rehearse incident response procedures for kernel panics to minimize downtime and data loss during unexpected crashes.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Sweden, Finland
CVE-2024-26745: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: powerpc/pseries/iommu: IOMMU table is not initialized for kdump over SR-IOV When kdump kernel tries to copy dump data over SR-IOV, LPAR panics due to NULL pointer exception: Kernel attempted to read user page (0) - exploit attempt? (uid: 0) BUG: Kernel NULL pointer dereference on read at 0x00000000 Faulting instruction address: 0xc000000020847ad4 Oops: Kernel access of bad area, sig: 11 [#1] LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA pSeries Modules linked in: mlx5_core(+) vmx_crypto pseries_wdt papr_scm libnvdimm mlxfw tls psample sunrpc fuse overlay squashfs loop CPU: 12 PID: 315 Comm: systemd-udevd Not tainted 6.4.0-Test102+ #12 Hardware name: IBM,9080-HEX POWER10 (raw) 0x800200 0xf000006 of:IBM,FW1060.00 (NH1060_008) hv:phyp pSeries NIP: c000000020847ad4 LR: c00000002083b2dc CTR: 00000000006cd18c REGS: c000000029162ca0 TRAP: 0300 Not tainted (6.4.0-Test102+) MSR: 800000000280b033 <SF,VEC,VSX,EE,FP,ME,IR,DR,RI,LE> CR: 48288244 XER: 00000008 CFAR: c00000002083b2d8 DAR: 0000000000000000 DSISR: 40000000 IRQMASK: 1 ... NIP _find_next_zero_bit+0x24/0x110 LR bitmap_find_next_zero_area_off+0x5c/0xe0 Call Trace: dev_printk_emit+0x38/0x48 (unreliable) iommu_area_alloc+0xc4/0x180 iommu_range_alloc+0x1e8/0x580 iommu_alloc+0x60/0x130 iommu_alloc_coherent+0x158/0x2b0 dma_iommu_alloc_coherent+0x3c/0x50 dma_alloc_attrs+0x170/0x1f0 mlx5_cmd_init+0xc0/0x760 [mlx5_core] mlx5_function_setup+0xf0/0x510 [mlx5_core] mlx5_init_one+0x84/0x210 [mlx5_core] probe_one+0x118/0x2c0 [mlx5_core] local_pci_probe+0x68/0x110 pci_call_probe+0x68/0x200 pci_device_probe+0xbc/0x1a0 really_probe+0x104/0x540 __driver_probe_device+0xb4/0x230 driver_probe_device+0x54/0x130 __driver_attach+0x158/0x2b0 bus_for_each_dev+0xa8/0x130 driver_attach+0x34/0x50 bus_add_driver+0x16c/0x300 driver_register+0xa4/0x1b0 __pci_register_driver+0x68/0x80 mlx5_init+0xb8/0x100 [mlx5_core] do_one_initcall+0x60/0x300 do_init_module+0x7c/0x2b0 At the time of LPAR dump, before kexec hands over control to kdump kernel, DDWs (Dynamic DMA Windows) are scanned and added to the FDT. For the SR-IOV case, default DMA window "ibm,dma-window" is removed from the FDT and DDW added, for the device. Now, kexec hands over control to the kdump kernel. When the kdump kernel initializes, PCI busses are scanned and IOMMU group/tables created, in pci_dma_bus_setup_pSeriesLP(). For the SR-IOV case, there is no "ibm,dma-window". The original commit: b1fc44eaa9ba, fixes the path where memory is pre-mapped (direct mapped) to the DDW. When TCEs are direct mapped, there is no need to initialize IOMMU tables. iommu_table_setparms_lpar() only considers "ibm,dma-window" property when initiallizing IOMMU table. In the scenario where TCEs are dynamically allocated for SR-IOV, newly created IOMMU table is not initialized. Later, when the device driver tries to enter TCEs for the SR-IOV device, NULL pointer execption is thrown from iommu_area_alloc(). The fix is to initialize the IOMMU table with DDW property stored in the FDT. There are 2 points to remember: 1. For the dedicated adapter, kdump kernel would encounter both default and DDW in FDT. In this case, DDW property is used to initialize the IOMMU table. 2. A DDW could be direct or dynamic mapped. kdump kernel would initialize IOMMU table and mark the existing DDW as "dynamic". This works fine since, at the time of table initialization, iommu_table_clear() makes some space in the DDW, for some predefined number of TCEs which are needed for kdump to succeed.
AI-Powered Analysis
Technical Analysis
CVE-2024-26745 is a medium-severity vulnerability in the Linux kernel affecting the powerpc/pseries architecture, specifically related to the IOMMU (Input-Output Memory Management Unit) initialization for kdump operations over SR-IOV (Single Root I/O Virtualization). The vulnerability arises because the IOMMU table is not properly initialized when the kdump kernel attempts to copy dump data over SR-IOV devices. This leads to a NULL pointer dereference and subsequent kernel panic (LPAR panic) due to a NULL pointer exception during the kdump process. The root cause is that the kdump kernel, during initialization, scans PCI buses and creates IOMMU groups/tables but only considers the "ibm,dma-window" property in the Flattened Device Tree (FDT) for IOMMU table initialization. In SR-IOV scenarios, the default DMA window property is removed and replaced by Dynamic DMA Windows (DDWs), which are not properly handled, resulting in an uninitialized IOMMU table. When the device driver tries to allocate TCEs (Translation Control Entries) for SR-IOV devices, the uninitialized table causes a NULL pointer dereference in iommu_area_alloc(), crashing the kernel. The fix involves initializing the IOMMU table with the DDW property stored in the FDT, handling both dedicated adapters with default and DDW properties, and marking DDWs as dynamic when appropriate. This vulnerability affects Linux kernel versions containing specific commits prior to the fix and is relevant for systems running on IBM POWER10 hardware using the pSeries platform with SR-IOV enabled devices, particularly Mellanox mlx5 network drivers. Exploitation requires local privileges (PR:H), no user interaction, and has a limited attack vector (local), resulting in denial of service (kernel panic) but no direct confidentiality or integrity impact. No known exploits are reported in the wild as of the publication date.
Potential Impact
For European organizations using IBM POWER10 hardware running Linux kernels with SR-IOV enabled devices, this vulnerability can cause system instability and denial of service during kdump operations, which are critical for capturing crash dumps and performing post-mortem analysis. This can delay incident response and forensic investigations after system failures. Organizations relying on high-availability systems with SR-IOV network devices, especially in data centers and cloud environments, may experience unexpected LPAR panics, leading to downtime and potential disruption of services. While the vulnerability does not directly expose data confidentiality or integrity, the availability impact can affect critical infrastructure, financial services, telecommunications, and research institutions that depend on POWER architecture servers. The vulnerability is particularly relevant for environments that use kdump for crash recovery and debugging, as the failure in kdump can hinder root cause analysis and prolong recovery times. Given the medium severity and local privilege requirement, the threat is more significant in environments where multiple users or processes have elevated privileges or where attackers have already gained some level of access.
Mitigation Recommendations
1. Apply the official Linux kernel patches that address CVE-2024-26745 as soon as they become available from trusted Linux distributions or the kernel mainline. 2. For organizations using custom or embedded Linux kernels on IBM POWER10 hardware, ensure kernel versions include the fix for proper IOMMU table initialization with DDW properties. 3. Review and audit SR-IOV device configurations and ensure that kdump is properly configured and tested in the environment to verify that crash dumps can be collected without triggering kernel panics. 4. Limit local privileged access to trusted administrators only, reducing the risk of exploitation by unauthorized users. 5. Implement robust monitoring of kernel logs and system stability to detect early signs of kernel panics or IOMMU-related errors. 6. Consider fallback or alternative crash dump mechanisms if kdump reliability is critical and immediate patching is not feasible. 7. Coordinate with hardware vendors (e.g., IBM, Mellanox) for firmware and driver updates that may complement kernel fixes and improve SR-IOV stability. 8. Document and rehearse incident response procedures for kernel panics to minimize downtime and data loss during unexpected crashes.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-02-19T14:20:24.168Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682d9821c4522896dcbdda61
Added to database: 5/21/2025, 9:08:49 AM
Last enriched: 6/28/2025, 2:26:43 AM
Last updated: 8/17/2025, 4:41:28 AM
Views: 15
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.