In the Linux kernel, the following vulnerability has been resolved:
iommu: disable SVA when CONFIG_X86 is set
Patch series "Fix stale IOTLB entries for kernel address space", v7.
This proposes a fix for a security vulnerability related to IOMMU Shared
Virtual Addressing (SVA). In an SVA context, an IOMMU can cache kernel
page table entries. When a kernel page table page is freed and
reallocated for another purpose, the IOMMU might still hold stale,
incorrect entries. This can be exploited to cause a use-after-free or
write-after-free condition, potentially leading to privilege escalation or
data corruption.
This solution introduces a deferred freeing mechanism for kernel page
table pages, which provides a safe window to notify the IOMMU to
invalidate its caches before the page is reused.
This patch (of 8):
In the IOMMU Shared Virtual Addressing (SVA) context, the IOMMU hardware
shares and walks the CPU's page tables. The x86 architecture maps the
kernel's virtual address space into the upper portion of every process's
page table. Consequently, in an SVA context, the IOMMU hardware can walk
and cache kernel page table entries.
The Linux kernel currently lacks a notification mechanism for kernel page
table changes, specifically when page table pages are freed and reused.
The IOMMU driver is only notified of changes to user virtual address
mappings. This can cause the IOMMU's internal caches to retain stale
entries for kernel VA.
Use-After-Free (UAF) and Write-After-Free (WAF) conditions arise when
kernel page table pages are freed and later reallocated. The IOMMU could
misinterpret the new data as valid page table entries. The IOMMU might
then walk into attacker-controlled memory, leading to arbitrary physical
memory DMA access or privilege escalation. This is also a
Write-After-Free issue, as the IOMMU will potentially continue to write
Accessed and Dirty bits to the freed memory while attempting to walk the
stale page tables.
Currently, SVA contexts are unprivileged and cannot access kernel
mappings. However, the IOMMU will still walk kernel-only page tables all
the way down to the leaf entries, where it realizes the mapping is for the
kernel and errors out. This means the IOMMU still caches these
intermediate page table entries, making the described vulnerability a real
concern.
Disable SVA on x86 architecture until the IOMMU can receive notification
to flush the paging cache before freeing the CPU kernel page table pages.
CVE-2025-71089 is a critical IOMMU Shared Virtual Addressing (SVA) vulnerability in the Linux kernel affecting x86 systems. The vulnerability allows stale IOMMU cache entries to persist after kernel page table pages are freed and reallocated, potentially enabling use-after-free/write-after-free conditions leading to privilege escalation or data corruption. The patch disables SVA on x86 architecture as a temporary mitigation until proper cache invalidation mechanisms are implemented.
Immediate Actions:
1. Identify all x86-based Linux systems running kernel versions affected by this vulnerability
2. Prioritize systems handling sensitive data (banking, government, healthcare, energy)
3. Review IOMMU/SVA configuration status on affected systems
Patching Guidance:
1. Apply kernel patches that disable SVA on x86 architecture (available in patch series)
2. Update to patched kernel versions as released by Linux distributions
3. Test patches in non-production environments before deployment
4. Schedule maintenance windows for kernel updates on critical systems
Compensating Controls (if immediate patching not possible):
1. Disable SVA functionality in BIOS/UEFI settings if available
2. Disable IOMMU features if not required for system operation
3. Implement strict access controls and monitoring on systems with elevated privileges
4. Isolate affected systems from untrusted networks
Detection Rules:
1. Monitor kernel logs for IOMMU-related errors or warnings
2. Track SVA-related system calls and memory mapping operations
3. Alert on unexpected privilege escalation attempts
4. Monitor for unusual DMA access patterns or memory corruption indicators
5. Implement kernel audit rules for page table modifications
الإجراءات الفورية:
1. تحديد جميع أنظمة Linux المستندة إلى x86 التي تعمل بإصدارات النواة المتأثرة بهذه الثغرة
2. إعطاء الأولوية للأنظمة التي تتعامل مع البيانات الحساسة (البنوك والحكومة والرعاية الصحية والطاقة)
3. مراجعة حالة تكوين IOMMU/SVA على الأنظمة المتأثرة
إرشادات التصحيح:
1. تطبيق رقع النواة التي تعطل SVA على معمارية x86 (متاحة في سلسلة الرقع)
2. التحديث إلى إصدارات النواة المصححة كما أصدرتها توزيعات Linux
3. اختبار الرقع في بيئات غير الإنتاج قبل النشر
4. جدولة نوافذ الصيانة لتحديثات النواة على الأنظمة الحرجة
الضوابط البديلة (إذا لم يكن التصحيح الفوري ممكناً):
1. تعطيل وظيفة SVA في إعدادات BIOS/UEFI إن أمكن
2. تعطيل ميزات IOMMU إذا لم تكن مطلوبة لتشغيل النظام
3. تنفيذ ضوابط الوصول الصارمة والمراقبة على الأنظمة ذات الامتيازات المرتفعة
4. عزل الأنظمة المتأثرة عن الشبكات غير الموثوقة
قواعد الكشف:
1. مراقبة سجلات النواة للأخطاء أو التحذيرات المتعلقة بـ IOMMU
2. تتبع استدعاءات النظام والعمليات المتعلقة بـ SVA
3. التنبيه على محاولات تصعيد الامتيازات غير المتوقعة
4. مراقبة أنماط الوصول غير العادية للـ DMA أو مؤشرات تلف الذاكرة
5. تنفيذ قواعد تدقيق النواة لتعديلات جدول الصفحات