DEBIAN-CVE-2024-47748

DEBIAN-CVE-2024-47748 PUBLISHED CVSS 7.800000190734863 HIGH

In the Linux kernel, the following vulnerability has been resolved: vhost_vdpa: assign irq bypass producer token correctly We used to call irq_bypass_unregister_producer() in vhost_vdpa_setup_vq_irq() which is problematic as we don't know if the token pointer is still valid or not. Actually, we use the eventfd_ctx as the token so the life cycle of the token should be bound to the VHOST_SET_VRING_CALL instead of vhost_vdpa_setup_vq_irq() which could be called by set_status(). Fixing this by setting up irq bypass producer's token when handling VHOST_SET_VRING_CALL and un-registering the producer before calling vhost_vring_ioctl() to prevent a possible use after free as eventfd could have been released in vhost_vring_ioctl(). And such registering and unregistering will only be done if DRIVER_OK is set.

Risk Scores

CVSS v3.1

7.800000190734863

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Products

Vendor	Product	Versions
Debian:11	linux	5.10.162-1, 5.10.162-1, 5.10.178-1
Debian:12	linux	6.1.69-1~bpo11+1, 0, 6.1.106-1
Debian:14	linux	0, 0
Debian:13	linux	0, 0
Debian:11	linux-6.1	6.1.112-1~deb11u1, 0, 0

Timeline

Oct 21, 2024 CVE Published
Apr 28, 2026 CVE Updated

References

https://security-tracker.debian.org/tracker/CVE-2024-47748 advisory

Open in Interactive Console →