Bug 2419923 (CVE-2025-40293)

Summary: CVE-2025-40293 kernel: iommufd: Don't overflow during division for dirty tracking
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedKeywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A divide-by-zero vulnerability was found in the iommufd dirty tracking code in the Linux kernel. When pgshift is 63, an integer overflow causes the divisor to become zero, triggering a kernel crash. This occurs during dirty bitmap index calculations for IOMMU operations.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2025-12-08 07:09:01 UTC 
In the Linux kernel, the following vulnerability has been resolved:

iommufd: Don't overflow during division for dirty tracking

If pgshift is 63 then BITS_PER_TYPE(*bitmap->bitmap) * pgsize will overflow
to 0 and this triggers divide by 0.

In this case the index should just be 0, so reorganize things to divide
by shift and avoid hitting any overflows.
Comment 1 Jon Moroney 2025-12-08 19:23:31 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025120818-CVE-2025-40293-cfe7@gregkh/T