Executive Summary

This vulnerability exists in the Linux kernel's iommu/vt-d implementation. When tearing down a context entry, the current method zeros out the entire 128-bit entry using multiple 64-bit writes. This process creates a timing window where the hardware might read a "torn" entry—meaning some parts are zeroed while the 'Present' bit is still set. This can cause unpredictable behavior or spurious faults.

The issue arises because the compiler may reorder writes to the two 64-bit halves of the context entry, and hardware fetches are not guaranteed to be atomic relative to multiple CPU writes. The fix aligns with the VT-d specification by first clearing only the 'Present' bit to signal ownership transfer from hardware to software, ensuring memory visibility with dma_wmb(), performing cache invalidations, and only then zeroing out the entire entry.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unpredictable behavior or spurious faults in systems using the affected Linux kernel iommu/vt-d implementation. Because the hardware might read partially updated context entries, it could cause system instability or errors related to IOMMU operations.

Useful 0 Not Useful 0

Mitigation Strategies

This vulnerability has been resolved in the Linux kernel by changing the way the VT-d context entry is torn down.

• Clear only the 'Present' bit of the context entry first to signal ownership transition from hardware to software.
• Use dma_wmb() to ensure the cleared bit is visible to the IOMMU.
• Perform the required cache and context-cache invalidation to ensure hardware no longer has cached references to the entry.
• Fully zero out the entry only after the invalidation is complete.

Additionally, ensure that dma_wmb() is added to context_set_present() to guarantee the entry is fully initialized before the 'Present' bit becomes visible.

Useful 0 Not Useful 0