CVE-2024-26674

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-26674
In the Linux kernel, the following vulnerability has been resolved: x86/lib: Revert to _ASM_EXTABLE_UA() for {get,put}_user() fixups During memory error injection test on kernels >= v6.4, the kernel panics like below. However, this issue couldn't be reproduced on kernels <= v6.3. mce: [Hardware Error]: CPU 296: Machine Check Exception: f Bank 1: bd80000000100134 mce: [Hardware Error]: RIP 10:<ffffffff821b9776> {__get_user_nocheck_4+0x6/0x20} mce: [Hardware Error]: TSC 411a93533ed ADDR 346a8730040 MISC 86 mce: [Hardware Error]: PROCESSOR 0:a06d0 TIME 1706000767 SOCKET 1 APIC 211 microcode 80001490 mce: [Hardware Error]: Run the above through 'mcelog --ascii' mce: [Hardware Error]: Machine check: Data load in unrecoverable area of kernel Kernel panic - not syncing: Fatal local machine check The MCA code can recover from an in-kernel #MC if the fixup type is EX_TYPE_UACCESS, explicitly indicating that the kernel is attempting to access userspace memory. However, if the fixup type is EX_TYPE_DEFAULT the only thing that is raised for an in-kernel #MC is a panic. ex_handler_uaccess() would warn if users gave a non-canonical addresses (with bit 63 clear) to {get, put}_user(), which was unexpected. Therefore, commit b19b74bc99b1 ("x86/mm: Rework address range check in get_user() and put_user()") replaced _ASM_EXTABLE_UA() with _ASM_EXTABLE() for {get, put}_user() fixups. However, the new fixup type EX_TYPE_DEFAULT results in a panic. Commit 6014bc27561f ("x86-64: make access_ok() independent of LAM") added the check gp_fault_address_ok() right before the WARN_ONCE() in ex_handler_uaccess() to not warn about non-canonical user addresses due to LAM. With that in place, revert back to _ASM_EXTABLE_UA() for {get,put}_user() exception fixups in order to be able to handle in-kernel MCEs correctly again. [ bp: Massage commit message. ]

7.1 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.8 / Impact : 5.2

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://git.kernel.org/stable/c/2aed1b6c33afd8599d01c6532bbecb829480a674 Patch
https://git.kernel.org/stable/c/2da241c5ed78d0978228a1150735539fe1a60eca Patch
https://git.kernel.org/stable/c/8eed4e00a370b37b4e5985ed983dccedd555ea9d Patch
https://git.kernel.org/stable/c/2aed1b6c33afd8599d01c6532bbecb829480a674 Patch
https://git.kernel.org/stable/c/2da241c5ed78d0978228a1150735539fe1a60eca Patch
https://git.kernel.org/stable/c/8eed4e00a370b37b4e5985ed983dccedd555ea9d Patch
Configurations

Configuration 1 (hide)

OR cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.8:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.8:rc2:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.8:rc3:*:*:*:*:*:*
History

17 Mar 2025, 15:42

Type Values Removed Values Added
First Time Linux linux Kernel
Linux
CWE CWE-787
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 7.1
CPE cpe:2.3:o:linux:linux_kernel:6.8:rc1:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.8:rc3:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*
cpe:2.3:o:linux:linux_kernel:6.8:rc2:*:*:*:*:*:*
References () https://git.kernel.org/stable/c/2aed1b6c33afd8599d01c6532bbecb829480a674 - () https://git.kernel.org/stable/c/2aed1b6c33afd8599d01c6532bbecb829480a674 - Patch
References () https://git.kernel.org/stable/c/2da241c5ed78d0978228a1150735539fe1a60eca - () https://git.kernel.org/stable/c/2da241c5ed78d0978228a1150735539fe1a60eca - Patch
References () https://git.kernel.org/stable/c/8eed4e00a370b37b4e5985ed983dccedd555ea9d - () https://git.kernel.org/stable/c/8eed4e00a370b37b4e5985ed983dccedd555ea9d - Patch

21 Nov 2024, 09:02

Type Values Removed Values Added
References () https://git.kernel.org/stable/c/2aed1b6c33afd8599d01c6532bbecb829480a674 - () https://git.kernel.org/stable/c/2aed1b6c33afd8599d01c6532bbecb829480a674 -
References () https://git.kernel.org/stable/c/2da241c5ed78d0978228a1150735539fe1a60eca - () https://git.kernel.org/stable/c/2da241c5ed78d0978228a1150735539fe1a60eca -
References () https://git.kernel.org/stable/c/8eed4e00a370b37b4e5985ed983dccedd555ea9d - () https://git.kernel.org/stable/c/8eed4e00a370b37b4e5985ed983dccedd555ea9d -

02 Apr 2024, 12:50

Type Values Removed Values Added
Summary
  • (es) En el kernel de Linux, se resolvió la siguiente vulnerabilidad: x86/lib: vuelva a _ASM_EXTABLE_UA() para reparaciones de {get,put}_user() Durante la prueba de inyección de errores de memoria en kernels &gt;= v6.4, el kernel entra en pánico como se muestra a continuación. Sin embargo, este problema no se pudo reproducir en kernels &lt;= v6.3. mce: [Error de hardware]: CPU 296: Excepción de verificación de la máquina: f Banco 1: bd80000000100134 mce: [Error de hardware]: RIP 10: {__get_user_nocheck_4+0x6/0x20} mce: [Error de hardware]: TSC 411a93533ed ADDR 346a87300 40 MISC 86 mce: [Error de hardware]: PROCESADOR 0:a06d0 HORA 1706000767 SOCKET 1 APIC 211 microcódigo 80001490 mce: [Error de hardware]: Ejecute lo anterior a través de 'mcelog --ascii' mce: [Error de hardware]: Verificación de la máquina: Carga de datos en un área irrecuperable del kernel Pánico del kernel - no se sincroniza: verificación fatal de la máquina local El código MCA se puede recuperar de un #MC en el kernel si el tipo de reparación es EX_TYPE_UACCESS, lo que indica explícitamente que el kernel está intentando acceder a la memoria del espacio de usuario. Sin embargo, si el tipo de reparación es EX_TYPE_DEFAULT, lo único que se genera para un #MC en el kernel es pánico. ex_handler_uaccess() advertiría si los usuarios proporcionaban direcciones no canónicas (con el bit 63 claro) a {get, put}_user(), lo cual era inesperado. Por lo tanto, el commit b19b74bc99b1 ("x86/mm: Reelaborar la verificación del rango de direcciones en get_user() y put_user()") reemplazó _ASM_EXTABLE_UA() con _ASM_EXTABLE() para las correcciones de {get, put}_user(). Sin embargo, el nuevo tipo de reparación EX_TYPE_DEFAULT provoca pánico. El commit 6014bc27561f ("x86-64: hacer que access_ok() sea independiente de LAM") agregó la verificación gp_fault_address_ok() justo antes de WARN_ONCE() en ex_handler_uaccess() para no advertir sobre direcciones de usuarios no canónicas debido a LAM. Una vez implementado esto, vuelva a _ASM_EXTABLE_UA() para corregir excepciones de {get,put}_user() para poder manejar correctamente los MCE en el kernel nuevamente. [pb: mensaje de commit. ]

02 Apr 2024, 07:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-04-02 07:15

Updated : 2025-03-17 15:42

NVD link : CVE-2024-26674

Mitre link : CVE-2024-26674

CVE.ORG link : CVE-2024-26674

JSON object : View

Products Affected

linux

  • linux_kernel
CWE
CWE-787

Out-of-bounds Write