CVE-2024-41070: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: KVM: PPC: Book3S HV: Prevent UAF in kvm_spapr_tce_attach_iommu_group() Al reported a possible use-after-free (UAF) in kvm_spapr_tce_attach_iommu_group(). It looks up `stt` from tablefd, but then continues to use it after doing fdput() on the returned fd. After the fdput() the tablefd is free to be closed by another thread. The close calls kvm_spapr_tce_release() and then release_spapr_tce_table() (via call_rcu()) which frees `stt`. Although there are calls to rcu_read_lock() in kvm_spapr_tce_attach_iommu_group() they are not sufficient to prevent the UAF, because `stt` is used outside the locked regions. With an artifcial delay after the fdput() and a userspace program which triggers the race, KASAN detects the UAF: BUG: KASAN: slab-use-after-free in kvm_spapr_tce_attach_iommu_group+0x298/0x720 [kvm] Read of size 4 at addr c000200027552c30 by task kvm-vfio/2505 CPU: 54 PID: 2505 Comm: kvm-vfio Not tainted 6.10.0-rc3-next-20240612-dirty #1 Hardware name: 8335-GTH POWER9 0x4e1202 opal:skiboot-v6.5.3-35-g1851b2a06 PowerNV Call Trace: dump_stack_lvl+0xb4/0x108 (unreliable) print_report+0x2b4/0x6ec kasan_report+0x118/0x2b0 __asan_load4+0xb8/0xd0 kvm_spapr_tce_attach_iommu_group+0x298/0x720 [kvm] kvm_vfio_set_attr+0x524/0xac0 [kvm] kvm_device_ioctl+0x144/0x240 [kvm] sys_ioctl+0x62c/0x1810 system_call_exception+0x190/0x440 system_call_vectored_common+0x15c/0x2ec ... Freed by task 0: ... kfree+0xec/0x3e0 release_spapr_tce_table+0xd4/0x11c [kvm] rcu_core+0x568/0x16a0 handle_softirqs+0x23c/0x920 do_softirq_own_stack+0x6c/0x90 do_softirq_own_stack+0x58/0x90 __irq_exit_rcu+0x218/0x2d0 irq_exit+0x30/0x80 arch_local_irq_restore+0x128/0x230 arch_local_irq_enable+0x1c/0x30 cpuidle_enter_state+0x134/0x5cc cpuidle_enter+0x6c/0xb0 call_cpuidle+0x7c/0x100 do_idle+0x394/0x410 cpu_startup_entry+0x60/0x70 start_secondary+0x3fc/0x410 start_secondary_prolog+0x10/0x14 Fix it by delaying the fdput() until `stt` is no longer in use, which is effectively the entire function. To keep the patch minimal add a call to fdput() at each of the existing return paths. Future work can convert the function to goto or __cleanup style cleanup. With the fix in place the test case no longer triggers the UAF.
AI Analysis
Technical Summary
CVE-2024-41070 is a use-after-free (UAF) vulnerability identified in the Linux kernel's KVM (Kernel-based Virtual Machine) subsystem, specifically affecting the PowerPC (PPC) Book3S hypervisor implementation. The vulnerability arises in the function kvm_spapr_tce_attach_iommu_group(), which manages the attachment of IOMMU groups to the KVM's SPAPR TCE (Segmented Page Address Relocation Table Translation Control Entry) tables. The issue occurs because the function looks up a pointer 'stt' from a file descriptor (tablefd), then calls fdput() to release the file descriptor reference. However, it continues to use 'stt' after fdput(), which is unsafe because the file descriptor can be closed by another thread concurrently. Closing the file descriptor triggers a chain of calls that eventually frees the memory pointed to by 'stt'. Although the function uses RCU (Read-Copy-Update) read locks, these are insufficient since 'stt' is accessed outside the locked regions, leading to a race condition. This race can be exploited to cause a use-after-free, which was demonstrated with KASAN (Kernel Address Sanitizer) detecting slab-use-after-free errors during testing. The vulnerability affects Linux kernel versions around 6.10.0-rc3-next and likely others in the 6.x series on PPC architectures. The fix involves deferring the fdput() call until 'stt' is no longer used, ensuring the pointer remains valid throughout the function's execution. This patch prevents the race condition and the resulting use-after-free. No known exploits are reported in the wild at this time. The vulnerability is specific to the PPC Book3S HV KVM implementation and impacts systems running Linux kernels with this code path enabled, particularly on POWER9 hardware or similar platforms using the affected kernel versions.
Potential Impact
For European organizations, the impact of CVE-2024-41070 depends largely on their use of Linux-based virtualization on PPC Book3S HV platforms. This vulnerability could allow a local attacker with the ability to interact with KVM VFIO (Virtual Function I/O) devices to trigger a use-after-free condition, potentially leading to kernel crashes (denial of service) or, in a worst-case scenario, privilege escalation or arbitrary code execution within the kernel context. Organizations running critical infrastructure, cloud services, or virtualization platforms on POWER9 hardware with affected Linux kernels could face service disruptions or compromise of virtualized environments. The vulnerability is less relevant for organizations primarily using x86_64 or ARM architectures, which dominate the European server market. However, specialized sectors such as research institutions, telecom providers, or enterprises using POWER-based servers for high-performance computing or legacy applications may be at risk. The lack of known exploits reduces immediate risk, but the presence of a race condition in kernel memory management is a serious concern for system stability and security. Exploitation requires local access and triggering a race condition, which may limit the attack surface but does not eliminate it. Therefore, European organizations relying on affected systems should prioritize patching to maintain system integrity and availability.
Mitigation Recommendations
To mitigate CVE-2024-41070, European organizations should: 1) Identify and inventory all Linux systems running on PPC Book3S HV architectures, particularly those using KVM virtualization with VFIO devices. 2) Apply the official Linux kernel patches that delay the fdput() call in kvm_spapr_tce_attach_iommu_group() until the pointer 'stt' is no longer in use. If vendor-specific kernels are used, coordinate with vendors for timely patch releases. 3) Where patching is not immediately possible, consider disabling KVM virtualization on affected PPC systems or restricting access to VFIO devices to trusted users only, reducing the risk of local exploitation. 4) Implement strict access controls and monitoring on systems with KVM VFIO capabilities to detect unusual activity that might indicate exploitation attempts. 5) Use kernel hardening features such as Kernel Address Sanitizer (KASAN) in testing environments to detect similar memory errors proactively. 6) Maintain up-to-date backups and incident response plans to quickly recover from potential crashes or compromises. 7) Engage with hardware and software vendors to ensure ongoing support and security updates for PPC-based Linux systems.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Sweden, Finland
CVE-2024-41070: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: KVM: PPC: Book3S HV: Prevent UAF in kvm_spapr_tce_attach_iommu_group() Al reported a possible use-after-free (UAF) in kvm_spapr_tce_attach_iommu_group(). It looks up `stt` from tablefd, but then continues to use it after doing fdput() on the returned fd. After the fdput() the tablefd is free to be closed by another thread. The close calls kvm_spapr_tce_release() and then release_spapr_tce_table() (via call_rcu()) which frees `stt`. Although there are calls to rcu_read_lock() in kvm_spapr_tce_attach_iommu_group() they are not sufficient to prevent the UAF, because `stt` is used outside the locked regions. With an artifcial delay after the fdput() and a userspace program which triggers the race, KASAN detects the UAF: BUG: KASAN: slab-use-after-free in kvm_spapr_tce_attach_iommu_group+0x298/0x720 [kvm] Read of size 4 at addr c000200027552c30 by task kvm-vfio/2505 CPU: 54 PID: 2505 Comm: kvm-vfio Not tainted 6.10.0-rc3-next-20240612-dirty #1 Hardware name: 8335-GTH POWER9 0x4e1202 opal:skiboot-v6.5.3-35-g1851b2a06 PowerNV Call Trace: dump_stack_lvl+0xb4/0x108 (unreliable) print_report+0x2b4/0x6ec kasan_report+0x118/0x2b0 __asan_load4+0xb8/0xd0 kvm_spapr_tce_attach_iommu_group+0x298/0x720 [kvm] kvm_vfio_set_attr+0x524/0xac0 [kvm] kvm_device_ioctl+0x144/0x240 [kvm] sys_ioctl+0x62c/0x1810 system_call_exception+0x190/0x440 system_call_vectored_common+0x15c/0x2ec ... Freed by task 0: ... kfree+0xec/0x3e0 release_spapr_tce_table+0xd4/0x11c [kvm] rcu_core+0x568/0x16a0 handle_softirqs+0x23c/0x920 do_softirq_own_stack+0x6c/0x90 do_softirq_own_stack+0x58/0x90 __irq_exit_rcu+0x218/0x2d0 irq_exit+0x30/0x80 arch_local_irq_restore+0x128/0x230 arch_local_irq_enable+0x1c/0x30 cpuidle_enter_state+0x134/0x5cc cpuidle_enter+0x6c/0xb0 call_cpuidle+0x7c/0x100 do_idle+0x394/0x410 cpu_startup_entry+0x60/0x70 start_secondary+0x3fc/0x410 start_secondary_prolog+0x10/0x14 Fix it by delaying the fdput() until `stt` is no longer in use, which is effectively the entire function. To keep the patch minimal add a call to fdput() at each of the existing return paths. Future work can convert the function to goto or __cleanup style cleanup. With the fix in place the test case no longer triggers the UAF.
AI-Powered Analysis
Technical Analysis
CVE-2024-41070 is a use-after-free (UAF) vulnerability identified in the Linux kernel's KVM (Kernel-based Virtual Machine) subsystem, specifically affecting the PowerPC (PPC) Book3S hypervisor implementation. The vulnerability arises in the function kvm_spapr_tce_attach_iommu_group(), which manages the attachment of IOMMU groups to the KVM's SPAPR TCE (Segmented Page Address Relocation Table Translation Control Entry) tables. The issue occurs because the function looks up a pointer 'stt' from a file descriptor (tablefd), then calls fdput() to release the file descriptor reference. However, it continues to use 'stt' after fdput(), which is unsafe because the file descriptor can be closed by another thread concurrently. Closing the file descriptor triggers a chain of calls that eventually frees the memory pointed to by 'stt'. Although the function uses RCU (Read-Copy-Update) read locks, these are insufficient since 'stt' is accessed outside the locked regions, leading to a race condition. This race can be exploited to cause a use-after-free, which was demonstrated with KASAN (Kernel Address Sanitizer) detecting slab-use-after-free errors during testing. The vulnerability affects Linux kernel versions around 6.10.0-rc3-next and likely others in the 6.x series on PPC architectures. The fix involves deferring the fdput() call until 'stt' is no longer used, ensuring the pointer remains valid throughout the function's execution. This patch prevents the race condition and the resulting use-after-free. No known exploits are reported in the wild at this time. The vulnerability is specific to the PPC Book3S HV KVM implementation and impacts systems running Linux kernels with this code path enabled, particularly on POWER9 hardware or similar platforms using the affected kernel versions.
Potential Impact
For European organizations, the impact of CVE-2024-41070 depends largely on their use of Linux-based virtualization on PPC Book3S HV platforms. This vulnerability could allow a local attacker with the ability to interact with KVM VFIO (Virtual Function I/O) devices to trigger a use-after-free condition, potentially leading to kernel crashes (denial of service) or, in a worst-case scenario, privilege escalation or arbitrary code execution within the kernel context. Organizations running critical infrastructure, cloud services, or virtualization platforms on POWER9 hardware with affected Linux kernels could face service disruptions or compromise of virtualized environments. The vulnerability is less relevant for organizations primarily using x86_64 or ARM architectures, which dominate the European server market. However, specialized sectors such as research institutions, telecom providers, or enterprises using POWER-based servers for high-performance computing or legacy applications may be at risk. The lack of known exploits reduces immediate risk, but the presence of a race condition in kernel memory management is a serious concern for system stability and security. Exploitation requires local access and triggering a race condition, which may limit the attack surface but does not eliminate it. Therefore, European organizations relying on affected systems should prioritize patching to maintain system integrity and availability.
Mitigation Recommendations
To mitigate CVE-2024-41070, European organizations should: 1) Identify and inventory all Linux systems running on PPC Book3S HV architectures, particularly those using KVM virtualization with VFIO devices. 2) Apply the official Linux kernel patches that delay the fdput() call in kvm_spapr_tce_attach_iommu_group() until the pointer 'stt' is no longer in use. If vendor-specific kernels are used, coordinate with vendors for timely patch releases. 3) Where patching is not immediately possible, consider disabling KVM virtualization on affected PPC systems or restricting access to VFIO devices to trusted users only, reducing the risk of local exploitation. 4) Implement strict access controls and monitoring on systems with KVM VFIO capabilities to detect unusual activity that might indicate exploitation attempts. 5) Use kernel hardening features such as Kernel Address Sanitizer (KASAN) in testing environments to detect similar memory errors proactively. 6) Maintain up-to-date backups and incident response plans to quickly recover from potential crashes or compromises. 7) Engage with hardware and software vendors to ensure ongoing support and security updates for PPC-based Linux systems.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-07-12T12:17:45.630Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682cd0fa1484d88663aec00a
Added to database: 5/20/2025, 6:59:06 PM
Last enriched: 7/4/2025, 4:58:07 AM
Last updated: 8/15/2025, 3:08:48 AM
Views: 20
Related Threats
CVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumCVE-2025-54759: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.