CVE-2025-21724
Published: 27 February 2025
Description
In the Linux kernel, the following vulnerability has been resolved: iommufd/iova_bitmap: Fix shift-out-of-bounds in iova_bitmap_offset_to_index() Resolve a UBSAN shift-out-of-bounds issue in iova_bitmap_offset_to_index() where shifting the constant "1" (of type int) by bitmap->mapped.pgshift (an unsigned long value) could result in undefined behavior. The constant "1" defaults to a 32-bit "int", and when "pgshift" exceeds 31 (e.g., pgshift = 63) the shift operation overflows, as the result cannot be represented in a 32-bit type. To resolve this, the constant is updated to "1UL", promoting it to an unsigned long type to match the operand's type.
Security Summary
CVE-2025-21724 is a shift-out-of-bounds vulnerability in the Linux kernel's iommufd/iova_bitmap subsystem, specifically within the iova_bitmap_offset_to_index() function. The issue arises when shifting the constant "1" (typed as a 32-bit int) by the bitmap->mapped.pgshift value (an unsigned long), which can exceed 31 and trigger undefined behavior due to overflow in the 32-bit type. This is classified under CWE-787 (Out-of-bounds Write) with a CVSS v3.1 base score of 7.8.
A local attacker with low privileges (PR:L) can exploit this vulnerability with low attack complexity (AC:L) and no user interaction (UI:N), in an unchanged security scope (S:U). Successful exploitation enables high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), potentially allowing arbitrary code execution or system disruption within the kernel context.
Mitigation involves applying the upstream kernel patches referenced in the stable repository commits, such as 38ac76fc06bc6826a3e4b12a98efbe98432380a9 and others, which resolve the issue by changing the constant to "1UL" to promote it to unsigned long and match the shift operand's type. Security practitioners should update affected Linux kernels to incorporate these fixes.
Details
- CWE(s)