Bug 2348649 (CVE-2025-21724) - CVE-2025-21724 kernel: iommufd/iova_bitmap: Fix shift-out-of-bounds in iova_bitmap_offset_to_index()
Summary: CVE-2025-21724 kernel: iommufd/iova_bitmap: Fix shift-out-of-bounds in iova_b...
Keywords:
Status: NEW
Alias: CVE-2025-21724
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-02-27 03:06 UTC by OSIDB Bzimport
Modified: 2025-02-27 19:56 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-02-27 03:06:24 UTC 
In the Linux kernel, the following vulnerability has been resolved:

iommufd/iova_bitmap: Fix shift-out-of-bounds in iova_bitmap_offset_to_index()

Resolve a UBSAN shift-out-of-bounds issue in iova_bitmap_offset_to_index()
where shifting the constant "1" (of type int) by bitmap->mapped.pgshift
(an unsigned long value) could result in undefined behavior.

The constant "1" defaults to a 32-bit "int", and when "pgshift" exceeds
31 (e.g., pgshift = 63) the shift operation overflows, as the result
cannot be represented in a 32-bit type.

To resolve this, the constant is updated to "1UL", promoting it to an
unsigned long type to match the operand's type.
Comment 1 Mauro Matteo Cascella 2025-02-27 19:44:27 UTC 
Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025022647-CVE-2025-21724-f4b1@gregkh/T
Note You need to log in before you can comment on or make changes to this bug.