cve-2024-26906
Vulnerability from cvelistv5
Published
2024-04-17 10:27
Modified
2024-11-05 09:17
Severity ?
Summary
x86/mm: Disallow vsyscall page read for copy_from_kernel_nofault()
Impacted products
LinuxLinux
LinuxLinux
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T00:21:05.490Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/6e4694e65b6db4c3de125115dd4f55848cc48381"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/e8a67fe34b76a49320b33032228a794f40b0316b"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/f175de546a3eb77614d94d4c02550181c0a8493e"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/57f78c46f08198e1be08ffe99c4c1ccc12855bf5"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/29bd6f86904682adafe9affbc7f79b14defcaff8"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/32019c659ecfe1d92e3bf9fcdfbb11a7c70acd58"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-26906",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-10T15:47:59.842385Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-11T17:33:22.186Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/mm/maccess.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "6e4694e65b6d",
              "status": "affected",
              "version": "1da177e4c3f4",
              "versionType": "git"
            },
            {
              "lessThan": "e8a67fe34b76",
              "status": "affected",
              "version": "1da177e4c3f4",
              "versionType": "git"
            },
            {
              "lessThan": "f175de546a3e",
              "status": "affected",
              "version": "1da177e4c3f4",
              "versionType": "git"
            },
            {
              "lessThan": "57f78c46f081",
              "status": "affected",
              "version": "1da177e4c3f4",
              "versionType": "git"
            },
            {
              "lessThan": "29bd6f869046",
              "status": "affected",
              "version": "1da177e4c3f4",
              "versionType": "git"
            },
            {
              "lessThan": "32019c659ecf",
              "status": "affected",
              "version": "1da177e4c3f4",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/mm/maccess.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.214",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.153",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.83",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.23",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.7.*",
              "status": "unaffected",
              "version": "6.7.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.8",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/mm: Disallow vsyscall page read for copy_from_kernel_nofault()\n\nWhen trying to use copy_from_kernel_nofault() to read vsyscall page\nthrough a bpf program, the following oops was reported:\n\n  BUG: unable to handle page fault for address: ffffffffff600000\n  #PF: supervisor read access in kernel mode\n  #PF: error_code(0x0000) - not-present page\n  PGD 3231067 P4D 3231067 PUD 3233067 PMD 3235067 PTE 0\n  Oops: 0000 [#1] PREEMPT SMP PTI\n  CPU: 1 PID: 20390 Comm: test_progs ...... 6.7.0+ #58\n  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) ......\n  RIP: 0010:copy_from_kernel_nofault+0x6f/0x110\n  ......\n  Call Trace:\n   \u003cTASK\u003e\n   ? copy_from_kernel_nofault+0x6f/0x110\n   bpf_probe_read_kernel+0x1d/0x50\n   bpf_prog_2061065e56845f08_do_probe_read+0x51/0x8d\n   trace_call_bpf+0xc5/0x1c0\n   perf_call_bpf_enter.isra.0+0x69/0xb0\n   perf_syscall_enter+0x13e/0x200\n   syscall_trace_enter+0x188/0x1c0\n   do_syscall_64+0xb5/0xe0\n   entry_SYSCALL_64_after_hwframe+0x6e/0x76\n   \u003c/TASK\u003e\n  ......\n  ---[ end trace 0000000000000000 ]---\n\nThe oops is triggered when:\n\n1) A bpf program uses bpf_probe_read_kernel() to read from the vsyscall\npage and invokes copy_from_kernel_nofault() which in turn calls\n__get_user_asm().\n\n2) Because the vsyscall page address is not readable from kernel space,\na page fault exception is triggered accordingly.\n\n3) handle_page_fault() considers the vsyscall page address as a user\nspace address instead of a kernel space address. This results in the\nfix-up setup by bpf not being applied and a page_fault_oops() is invoked\ndue to SMAP.\n\nConsidering handle_page_fault() has already considered the vsyscall page\naddress as a userspace address, fix the problem by disallowing vsyscall\npage read for copy_from_kernel_nofault()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-05T09:17:57.653Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/6e4694e65b6db4c3de125115dd4f55848cc48381"
        },
        {
          "url": "https://git.kernel.org/stable/c/e8a67fe34b76a49320b33032228a794f40b0316b"
        },
        {
          "url": "https://git.kernel.org/stable/c/f175de546a3eb77614d94d4c02550181c0a8493e"
        },
        {
          "url": "https://git.kernel.org/stable/c/57f78c46f08198e1be08ffe99c4c1ccc12855bf5"
        },
        {
          "url": "https://git.kernel.org/stable/c/29bd6f86904682adafe9affbc7f79b14defcaff8"
        },
        {
          "url": "https://git.kernel.org/stable/c/32019c659ecfe1d92e3bf9fcdfbb11a7c70acd58"
        }
      ],
      "title": "x86/mm: Disallow vsyscall page read for copy_from_kernel_nofault()",
      "x_generator": {
        "engine": "bippy-9e1c9544281a"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-26906",
    "datePublished": "2024-04-17T10:27:53.573Z",
    "dateReserved": "2024-02-19T14:20:24.187Z",
    "dateUpdated": "2024-11-05T09:17:57.653Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-26906\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-04-17T11:15:11.207\",\"lastModified\":\"2024-11-05T10:16:01.910\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nx86/mm: Disallow vsyscall page read for copy_from_kernel_nofault()\\n\\nWhen trying to use copy_from_kernel_nofault() to read vsyscall page\\nthrough a bpf program, the following oops was reported:\\n\\n  BUG: unable to handle page fault for address: ffffffffff600000\\n  #PF: supervisor read access in kernel mode\\n  #PF: error_code(0x0000) - not-present page\\n  PGD 3231067 P4D 3231067 PUD 3233067 PMD 3235067 PTE 0\\n  Oops: 0000 [#1] PREEMPT SMP PTI\\n  CPU: 1 PID: 20390 Comm: test_progs ...... 6.7.0+ #58\\n  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) ......\\n  RIP: 0010:copy_from_kernel_nofault+0x6f/0x110\\n  ......\\n  Call Trace:\\n   \u003cTASK\u003e\\n   ? copy_from_kernel_nofault+0x6f/0x110\\n   bpf_probe_read_kernel+0x1d/0x50\\n   bpf_prog_2061065e56845f08_do_probe_read+0x51/0x8d\\n   trace_call_bpf+0xc5/0x1c0\\n   perf_call_bpf_enter.isra.0+0x69/0xb0\\n   perf_syscall_enter+0x13e/0x200\\n   syscall_trace_enter+0x188/0x1c0\\n   do_syscall_64+0xb5/0xe0\\n   entry_SYSCALL_64_after_hwframe+0x6e/0x76\\n   \u003c/TASK\u003e\\n  ......\\n  ---[ end trace 0000000000000000 ]---\\n\\nThe oops is triggered when:\\n\\n1) A bpf program uses bpf_probe_read_kernel() to read from the vsyscall\\npage and invokes copy_from_kernel_nofault() which in turn calls\\n__get_user_asm().\\n\\n2) Because the vsyscall page address is not readable from kernel space,\\na page fault exception is triggered accordingly.\\n\\n3) handle_page_fault() considers the vsyscall page address as a user\\nspace address instead of a kernel space address. This results in the\\nfix-up setup by bpf not being applied and a page_fault_oops() is invoked\\ndue to SMAP.\\n\\nConsidering handle_page_fault() has already considered the vsyscall page\\naddress as a userspace address, fix the problem by disallowing vsyscall\\npage read for copy_from_kernel_nofault().\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: x86/mm: no permitir la lectura de la p\u00e1gina vsyscall para copy_from_kernel_nofault() Al intentar usar copy_from_kernel_nofault() para leer la p\u00e1gina vsyscall a trav\u00e9s de un programa bpf, se inform\u00f3 lo siguiente: ERROR: no se puede manejar el error de p\u00e1gina para la direcci\u00f3n: ffffffffff600000 #PF: acceso de lectura del supervisor en modo kernel #PF: error_code(0x0000) - p\u00e1gina no presente PGD 3231067 P4D 3231067 PUD 3233067 PMD 3235067 PTE 0 Ups: 0000 [#1] PREEMPT SMP PTI CPU: 1 PID: 20390 Comm: test_progs ...... 6.7.0+ #58 Nombre de hardware: PC est\u00e1ndar QEMU (i440FX + PIIX, 1996) ...... RIP: 0010:copy_from_kernel_nofault+0x6f/0x110... ... Seguimiento de llamadas: ? copy_from_kernel_nofault+0x6f/0x110 bpf_probe_read_kernel+0x1d/0x50 bpf_prog_2061065e56845f08_do_probe_read+0x51/0x8d trace_call_bpf+0xc5/0x1c0 perf_call_bpf_enter.isra.0+0x69/0xb 0 perf_syscall_enter+0x13e/0x200 syscall_trace_enter+0x188/0x1c0 do_syscall_64+0xb5/0xe0 Entry_SYSCALL_64_after_hwframe+0x6e/0x76 \u0026lt; /TASK\u0026gt; ...... ---[ end trace 0000000000000000 ]--- Ups se activa cuando: 1) Un programa bpf usa bpf_probe_read_kernel() para leer desde la p\u00e1gina vsyscall e invoca copy_from_kernel_nofault() que a su vez llama __get_user_asm(). 2) Debido a que la direcci\u00f3n de la p\u00e1gina vsyscall no se puede leer desde el espacio del kernel, se activa una excepci\u00f3n de error de p\u00e1gina en consecuencia. 3) handle_page_fault() considera la direcci\u00f3n de la p\u00e1gina vsyscall como una direcci\u00f3n de espacio de usuario en lugar de una direcci\u00f3n de espacio de kernel. Esto da como resultado que no se aplique la configuraci\u00f3n de reparaci\u00f3n mediante bpf y se invoque page_fault_oops() debido a SMAP. Teniendo en cuenta que handle_page_fault() ya ha considerado la direcci\u00f3n de la p\u00e1gina vsyscall como una direcci\u00f3n de espacio de usuario, solucione el problema no permitiendo la lectura de la p\u00e1gina vsyscall para copy_from_kernel_nofault().\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/29bd6f86904682adafe9affbc7f79b14defcaff8\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/32019c659ecfe1d92e3bf9fcdfbb11a7c70acd58\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/57f78c46f08198e1be08ffe99c4c1ccc12855bf5\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/6e4694e65b6db4c3de125115dd4f55848cc48381\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/e8a67fe34b76a49320b33032228a794f40b0316b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/f175de546a3eb77614d94d4c02550181c0a8493e\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading...

Loading...

Loading...
  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.