CVE-2024-26674 Information
Description
In the Linux kernel the following vulnerability has been resolved:
x86/lib: Revert to _ASM_EXTABLE_UA() for getput_user() fixups
During memory error injection test on kernels >= v6.4 the kernel panics like below. However this issue couldn’t be reproduced on kernels <= v6.3.
mce: [Hardware Error]: CPU 296: Machine Check Exception: f Bank 1: bd80000000100134
mce: [Hardware Error]: RIP 10:
The MCA code can recover from an in-kernel MC if the fixup type is EX_TYPE_UACCESS explicitly indicating that the kernel is attempting to access userspace memory. However if the fixup type is EX_TYPE_DEFAULT the only thing that is raised for an in-kernel MC is a panic.
ex_handler_uaccess() would warn if users gave a non-canonical addresses (with bit 63 clear) to get put_user() which was unexpected.
Therefore commit
b19b74bc99b1 (�/mm: Rework address range check in get_user() and put_user())
replaced _ASM_EXTABLE_UA() with _ASM_EXTABLE() for get put_user() fixups. However the new fixup type EX_TYPE_DEFAULT results in a panic.
Commit
6014bc27561f (�-64: make access_ok() independent of LAM)
added the check gp_fault_address_ok() right before the WARN_ONCE() in ex_handler_uaccess() to not warn about non-canonical user addresses due to LAM.
With that in place revert back to _ASM_EXTABLE_UA() for getput_user() exception fixups in order to be able to handle in-kernel MCEs correctly again.
[ bp: Massage commit message. ]
Reference
https://git.kernel.org/stable/c/2aed1b6c33afd8599d01c6532bbecb829480a674 https://git.kernel.org/stable/c/2da241c5ed78d0978228a1150735539fe1a60eca https://git.kernel.org/stable/c/8eed4e00a370b37b4e5985ed983dccedd555ea9d
Share on: