HIGH
iommufd Selftest Overflow
CVE-2025-71122
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
KernelScan AI6.1MEDIUM
01Description
In the Linux kernel, the following vulnerability has been resolved: iommufd/selftest: Check for overflow in IOMMU_TEST_OP_ADD_RESERVED syzkaller found it could overflow math in the test infrastructure and cause a WARN_ON by corrupting the reserved interval tree. This only effects test kernels with CONFIG_IOMMUFD_TEST. Validate the user input length in the test ioctl.
02KernelScan AI Analysis
Risk summary
Test kernels with CONFIG_IOMMUFD_TEST enabled are vulnerable to a local denial-of-service and limited integrity corruption through an integer overflow in the IOMMU_TEST_OP_ADD_RESERVED ioctl. Attackers with low privileges can trigger a WARN_ON and corrupt the reserved interval tree, causing kernel instability. This only affects development/testing environments, not production kernels.
Vulnerability analysis
The vulnerability occurs in the iommufd selftest infrastructure where user-provided start address and length parameters are added without overflow checking before being passed to iopt_reserve_iova(). When start + length - 1 overflows, it corrupts the reserved interval tree and triggers kernel warnings. The fix adds explicit overflow validation using check_add_overflow(), rejects zero-length inputs, and ensures the calculated last address is valid before proceeding with the reservation operation. This is a local attack surface requiring access to the test ioctl interface.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.12 | 6.12.64 | e6c122cffcbb |
| 6.18 | 6.18.3 | b166b8e0a381 |
| 6.6 | 6.6.120 | 4cc829d61f10 |
| mainline | 6.19 | e6a973af1113 |