CVE-2024-26674

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-26674
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-26674.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-26674
Related
Published
2024-04-02T07:15:44Z
Modified
2024-09-11T05:03:27.179114Z
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

x86/lib: Revert to ASMEXTABLEUA() for {get,put}user() fixups

During memory error injection test on kernels >= v6.4, the kernel panics like below. However, this issue couldn't be reproduced on kernels <= v6.3.

mce: [Hardware Error]: CPU 296: Machine Check Exception: f Bank 1: bd80000000100134 mce: [Hardware Error]: RIP 10:<ffffffff821b9776> {_getusernocheck4+0x6/0x20} mce: [Hardware Error]: TSC 411a93533ed ADDR 346a8730040 MISC 86 mce: [Hardware Error]: PROCESSOR 0:a06d0 TIME 1706000767 SOCKET 1 APIC 211 microcode 80001490 mce: [Hardware Error]: Run the above through 'mcelog --ascii' mce: [Hardware Error]: Machine check: Data load in unrecoverable area of kernel Kernel panic - not syncing: Fatal local machine check

The MCA code can recover from an in-kernel #MC if the fixup type is EXTYPEUACCESS, explicitly indicating that the kernel is attempting to access userspace memory. However, if the fixup type is EXTYPEDEFAULT the only thing that is raised for an in-kernel #MC is a panic.

exhandleruaccess() would warn if users gave a non-canonical addresses (with bit 63 clear) to {get, put}_user(), which was unexpected.

Therefore, commit

b19b74bc99b1 ("x86/mm: Rework address range check in getuser() and putuser()")

replaced ASMEXTABLEUA() with _ASMEXTABLE() for {get, put}user() fixups. However, the new fixup type EXTYPE_DEFAULT results in a panic.

Commit

6014bc27561f ("x86-64: make access_ok() independent of LAM")

added the check gpfaultaddressok() right before the WARNONCE() in exhandleruaccess() to not warn about non-canonical user addresses due to LAM.

With that in place, revert back to ASMEXTABLEUA() for {get,put}user() exception fixups in order to be able to handle in-kernel MCEs correctly again.

[ bp: Massage commit message. ]

References

Affected packages

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.7.7-1

Affected versions

6.*

6.1.27-1
6.1.37-1
6.1.38-1
6.1.38-2~bpo11+1
6.1.38-2
6.1.38-3
6.1.38-4~bpo11+1
6.1.38-4
6.1.52-1
6.1.55-1~bpo11+1
6.1.55-1
6.1.64-1
6.1.66-1
6.1.67-1
6.1.69-1~bpo11+1
6.1.69-1
6.1.76-1~bpo11+1
6.1.76-1
6.1.82-1
6.1.85-1
6.1.90-1~bpo11+1
6.1.90-1
6.1.94-1~bpo11+1
6.1.94-1
6.1.98-1
6.1.99-1
6.1.106-1
6.1.106-2
6.1.106-3
6.3.1-1~exp1
6.3.2-1~exp1
6.3.4-1~exp1
6.3.5-1~exp1
6.3.7-1~bpo12+1
6.3.7-1
6.3.11-1
6.4~rc6-1~exp1
6.4~rc7-1~exp1
6.4.1-1~exp1
6.4.4-1~bpo12+1
6.4.4-1
6.4.4-2
6.4.4-3~bpo12+1
6.4.4-3
6.4.11-1
6.4.13-1
6.5~rc4-1~exp1
6.5~rc6-1~exp1
6.5~rc7-1~exp1
6.5.1-1~exp1
6.5.3-1~bpo12+1
6.5.3-1
6.5.6-1
6.5.8-1
6.5.10-1~bpo12+1
6.5.10-1
6.5.13-1
6.6.3-1~exp1
6.6.4-1~exp1
6.6.7-1~exp1
6.6.8-1
6.6.9-1
6.6.11-1
6.6.13-1~bpo12+1
6.6.13-1
6.6.15-1
6.6.15-2
6.7-1~exp1
6.7.1-1~exp1
6.7.4-1~exp1

Ecosystem specific

{
    "urgency": "not yet assigned"
}