CVE-2024-26674

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-26674
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-26674.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-26674
Downstream
Related
Published
2024-04-02T07:01:39Z
Modified
2025-10-09T02:40:43.478189Z
Summary
x86/lib: Revert to _ASM_EXTABLE_UA() for {get,put}_user() fixups
Details

In the Linux kernel, the following vulnerability has been resolved:

x86/lib: Revert to ASMEXTABLEUA() for {get,put}user() fixups

During memory error injection test on kernels >= v6.4, the kernel panics like below. However, this issue couldn't be reproduced on kernels <= v6.3.

mce: [Hardware Error]: CPU 296: Machine Check Exception: f Bank 1: bd80000000100134 mce: [Hardware Error]: RIP 10:<ffffffff821b9776> {_getusernocheck4+0x6/0x20} mce: [Hardware Error]: TSC 411a93533ed ADDR 346a8730040 MISC 86 mce: [Hardware Error]: PROCESSOR 0:a06d0 TIME 1706000767 SOCKET 1 APIC 211 microcode 80001490 mce: [Hardware Error]: Run the above through 'mcelog --ascii' mce: [Hardware Error]: Machine check: Data load in unrecoverable area of kernel Kernel panic - not syncing: Fatal local machine check

The MCA code can recover from an in-kernel #MC if the fixup type is EXTYPEUACCESS, explicitly indicating that the kernel is attempting to access userspace memory. However, if the fixup type is EXTYPEDEFAULT the only thing that is raised for an in-kernel #MC is a panic.

exhandleruaccess() would warn if users gave a non-canonical addresses (with bit 63 clear) to {get, put}_user(), which was unexpected.

Therefore, commit

b19b74bc99b1 ("x86/mm: Rework address range check in getuser() and putuser()")

replaced ASMEXTABLEUA() with _ASMEXTABLE() for {get, put}user() fixups. However, the new fixup type EXTYPE_DEFAULT results in a panic.

Commit

6014bc27561f ("x86-64: make access_ok() independent of LAM")

added the check gpfaultaddressok() right before the WARNONCE() in exhandleruaccess() to not warn about non-canonical user addresses due to LAM.

With that in place, revert back to ASMEXTABLEUA() for {get,put}user() exception fixups in order to be able to handle in-kernel MCEs correctly again.

[ bp: Massage commit message. ]

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
b19b74bc99b1501a550f4448d04d59b946dc617a
Fixed
2aed1b6c33afd8599d01c6532bbecb829480a674
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
b19b74bc99b1501a550f4448d04d59b946dc617a
Fixed
2da241c5ed78d0978228a1150735539fe1a60eca
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
b19b74bc99b1501a550f4448d04d59b946dc617a
Fixed
8eed4e00a370b37b4e5985ed983dccedd555ea9d

Affected versions

v6.*

v6.3
v6.3-rc3
v6.3-rc4
v6.3-rc5
v6.3-rc6
v6.3-rc7
v6.4
v6.4-rc1
v6.4-rc2
v6.4-rc3
v6.4-rc4
v6.4-rc5
v6.4-rc6
v6.4-rc7
v6.5
v6.5-rc1
v6.5-rc2
v6.5-rc3
v6.5-rc4
v6.5-rc5
v6.5-rc6
v6.5-rc7
v6.6
v6.6-rc1
v6.6-rc2
v6.6-rc3
v6.6-rc4
v6.6-rc5
v6.6-rc6
v6.6-rc7
v6.6.1
v6.6.10
v6.6.11
v6.6.12
v6.6.13
v6.6.14
v6.6.15
v6.6.16
v6.6.2
v6.6.3
v6.6.4
v6.6.5
v6.6.6
v6.6.7
v6.6.8
v6.6.9
v6.7
v6.7-rc1
v6.7-rc2
v6.7-rc3
v6.7-rc4
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.7.1
v6.7.2
v6.7.3
v6.7.4
v6.8-rc1
v6.8-rc2

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.4.0
Fixed
6.6.17
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.7.5