In the Linux kernel, the following vulnerability has been resolved:
x86/lib: Revert to _ASM_EXTABLE_UA() for {get,put}_user() fixups During
memory error injection test on kernels >= v6.4, the kernel panics like
below. However, this issue couldn’t be reproduced on kernels <= v6.3. mce:
[Hardware Error]: CPU 296: Machine Check Exception: f Bank 1:
bd80000000100134 mce: [Hardware Error]: RIP 10:<ffffffff821b9776>
{__get_user_nocheck_4+0x6/0x20} mce: [Hardware Error]: TSC 411a93533ed ADDR
346a8730040 MISC 86 mce: [Hardware Error]: PROCESSOR 0:a06d0 TIME
1706000767 SOCKET 1 APIC 211 microcode 80001490 mce: [Hardware Error]: Run
the above through ‘mcelog --ascii’ mce: [Hardware Error]: Machine check:
Data load in unrecoverable area of kernel Kernel panic - not syncing: Fatal
local machine check The MCA code can recover from an in-kernel #MC if the
fixup type is EX_TYPE_UACCESS, explicitly indicating that the kernel is
attempting to access userspace memory. However, if the fixup type is
EX_TYPE_DEFAULT the only thing that is raised for an in-kernel #MC is a
panic. ex_handler_uaccess() would warn if users gave a non-canonical
addresses (with bit 63 clear) to {get, put}_user(), which was unexpected.
Therefore, commit b19b74bc99b1 (“x86/mm: Rework address range check in
get_user() and put_user()”) replaced _ASM_EXTABLE_UA() with _ASM_EXTABLE()
for {get, put}_user() fixups. However, the new fixup type EX_TYPE_DEFAULT
results in a panic. Commit 6014bc27561f (“x86-64: make access_ok()
independent of LAM”) added the check gp_fault_address_ok() right before the
WARN_ONCE() in ex_handler_uaccess() to not warn about non-canonical user
addresses due to LAM. With that in place, revert back to _ASM_EXTABLE_UA()
for {get,put}_user() exception fixups in order to be able to handle
in-kernel MCEs correctly again. [ bp: Massage commit message. ]
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 23.10 | noarch | linux | < 6.5.0-44.44 | UNKNOWN |
ubuntu | 22.04 | noarch | linux-aws-6.5 | < 6.5.0-1023.23~22.04.1 | UNKNOWN |
ubuntu | 22.04 | noarch | linux-azure-6.5 | < 6.5.0-1024.25~22.04.1 | UNKNOWN |
ubuntu | 23.10 | noarch | linux-gcp | < 6.5.0-1024.26 | UNKNOWN |
ubuntu | 22.04 | noarch | linux-gcp-6.5 | < 6.5.0-1024.26~22.04.1 | UNKNOWN |
ubuntu | 22.04 | noarch | linux-hwe-6.5 | < 6.5.0-44.44~22.04.1 | UNKNOWN |
ubuntu | 22.04 | noarch | linux-lowlatency-hwe-6.5 | < 6.5.0-44.44.1~22.04.1 | UNKNOWN |
ubuntu | 22.04 | noarch | linux-nvidia-6.5 | < 6.5.0-1023.24 | UNKNOWN |
ubuntu | 22.04 | noarch | linux-oem-6.5 | < any | UNKNOWN |
ubuntu | 22.04 | noarch | linux-oracle-6.5 | < 6.5.0-1026.26~22.04.1 | UNKNOWN |
git.kernel.org/linus/8eed4e00a370b37b4e5985ed983dccedd555ea9d (6.8-rc4)
git.kernel.org/stable/c/2aed1b6c33afd8599d01c6532bbecb829480a674
git.kernel.org/stable/c/2da241c5ed78d0978228a1150735539fe1a60eca
git.kernel.org/stable/c/8eed4e00a370b37b4e5985ed983dccedd555ea9d
launchpad.net/bugs/cve/CVE-2024-26674
nvd.nist.gov/vuln/detail/CVE-2024-26674
security-tracker.debian.org/tracker/CVE-2024-26674
ubuntu.com/security/notices/USN-6895-1
ubuntu.com/security/notices/USN-6895-2
ubuntu.com/security/notices/USN-6895-3
ubuntu.com/security/notices/USN-6900-1
www.cve.org/CVERecord?id=CVE-2024-26674