HIGH
loongarch KVM EIOINTC OOB
CVE-2026-31569
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:H
KernelScan AI7.3HIGH
01Description
In the Linux kernel, the following vulnerability has been resolved: LoongArch: KVM: Handle the case that EIOINTC's coremap is empty EIOINTC's coremap in eiointc_update_sw_coremap() can be empty, currently we get a cpuid with -1 in this case, but we actually need 0 because it's similar as the case that cpuid >= 4. This fix an out-of-bounds access to kvm_arch::phyid_map::phys_map[].
02KernelScan AI Analysis
Risk summary
A local attacker with KVM access on LoongArch systems could trigger an out-of-bounds memory read by manipulating EIOINTC interrupt controller state to have an empty coremap. This could lead to information disclosure by reading kernel memory contents or potentially cause system crashes, affecting the stability and confidentiality of virtualized environments.
Vulnerability analysis
Root Cause: In the eiointc_update_sw_coremap() function, when EIOINTC's coremap is empty, the ffs() function returns 0, which after subtracting 1 becomes -1. This negative cpuid value is then used as an array index to access kvm_arch::phyid_map::phys_map[], causing an out-of-bounds read access.
Attack Surface: This vulnerability affects LoongArch KVM virtualization environments. It requires local access with sufficient privileges to interact with KVM virtual machines and trigger the EIOINTC interrupt controller code path. The bug is specific to LoongArch architecture systems running KVM hypervisor functionality.
Fix Mechanism: The patch adds a bounds check to handle the case where cpuid is negative (< 0). The condition is changed from 'cpuid >= 4' to '((cpuid < 0) || (cpuid >= 4))' so that both negative values and values >= 4 are normalized to 0, preventing the out-of-bounds access.
03Fix Versions
| Branch | Fixed in | Patch commit |
|---|---|---|
| 6.18 | 6.18.21 | 126053d0a685 |
| 6.19 | 6.19.11 | 2a0cbcd28ecf |
| mainline | 7.0 | b97bd69eb0f6 |