cve/published/2024/CVE-2024-56678.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-56678: powerpc/mm/fault: Fix kfence page fault reporting

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 powerpc/mm/fault: Fix kfence page fault reporting

 copy_from_kernel_nofault() can be called when doing read of /proc/kcore.
 /proc/kcore can have some unmapped kfence objects which when read via
 copy_from_kernel_nofault() can cause page faults. Since *_nofault()
 functions define their own fixup table for handling fault, use that
 instead of asking kfence to handle such faults.

 Hence we search the exception tables for the nip which generated the
 fault. If there is an entry then we let the fixup table handler handle the
 page fault by returning an error from within ___do_page_fault().

 This can be easily triggered if someone tries to do dd from /proc/kcore.
 eg. dd if=/proc/kcore of=/dev/null bs=1M

 Some example false negatives:

   ===============================
   BUG: KFENCE: invalid read in copy_from_kernel_nofault+0x9c/0x1a0
   Invalid read at 0xc0000000fdff0000:
    copy_from_kernel_nofault+0x9c/0x1a0
    0xc00000000665f950
    read_kcore_iter+0x57c/0xa04
    proc_reg_read_iter+0xe4/0x16c
    vfs_read+0x320/0x3ec
    ksys_read+0x90/0x154
    system_call_exception+0x120/0x310
    system_call_vectored_common+0x15c/0x2ec

   BUG: KFENCE: use-after-free read in copy_from_kernel_nofault+0x9c/0x1a0
   Use-after-free read at 0xc0000000fe050000 (in kfence-#2):
    copy_from_kernel_nofault+0x9c/0x1a0
    0xc00000000665f950
    read_kcore_iter+0x57c/0xa04
    proc_reg_read_iter+0xe4/0x16c
    vfs_read+0x320/0x3ec
    ksys_read+0x90/0x154
    system_call_exception+0x120/0x310
    system_call_vectored_common+0x15c/0x2ec

 The Linux kernel CVE team has assigned CVE-2024-56678 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 5.13 with commit 90cbac0e995dd92f7bcf82f74aa50250bf194a4a and fixed in 5.15.174 with commit e0a470b5733c1fe068d5c58b0bb91ad539604bc6
 	Issue introduced in 5.13 with commit 90cbac0e995dd92f7bcf82f74aa50250bf194a4a and fixed in 6.1.120 with commit 4d2655754e94741b159aa807b72ea85518a65fd5
 	Issue introduced in 5.13 with commit 90cbac0e995dd92f7bcf82f74aa50250bf194a4a and fixed in 6.6.64 with commit 9ea8d8bf9b625e8ad3be6b0432aecdc549914121
 	Issue introduced in 5.13 with commit 90cbac0e995dd92f7bcf82f74aa50250bf194a4a and fixed in 6.11.11 with commit 7eaeb7a49b6d16640f9f3c9074c05175d74c710b
 	Issue introduced in 5.13 with commit 90cbac0e995dd92f7bcf82f74aa50250bf194a4a and fixed in 6.12.2 with commit 15f78d2c3d1452645bd8b9da909b0ca266f83c43
 	Issue introduced in 5.13 with commit 90cbac0e995dd92f7bcf82f74aa50250bf194a4a and fixed in 6.13 with commit 06dbbb4d5f7126b6307ab807cbf04ecfc459b933

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-56678
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	arch/powerpc/mm/fault.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/e0a470b5733c1fe068d5c58b0bb91ad539604bc6
 	https://git.kernel.org/stable/c/4d2655754e94741b159aa807b72ea85518a65fd5
 	https://git.kernel.org/stable/c/9ea8d8bf9b625e8ad3be6b0432aecdc549914121
 	https://git.kernel.org/stable/c/7eaeb7a49b6d16640f9f3c9074c05175d74c710b
 	https://git.kernel.org/stable/c/15f78d2c3d1452645bd8b9da909b0ca266f83c43
 	https://git.kernel.org/stable/c/06dbbb4d5f7126b6307ab807cbf04ecfc459b933
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-56678: powerpc/mm/fault: Fix kfence page fault reporting

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	powerpc/mm/fault: Fix kfence page fault reporting

	copy_from_kernel_nofault() can be called when doing read of /proc/kcore.
	/proc/kcore can have some unmapped kfence objects which when read via
	copy_from_kernel_nofault() can cause page faults. Since *_nofault()
	functions define their own fixup table for handling fault, use that
	instead of asking kfence to handle such faults.

	Hence we search the exception tables for the nip which generated the
	fault. If there is an entry then we let the fixup table handler handle the
	page fault by returning an error from within ___do_page_fault().

	This can be easily triggered if someone tries to do dd from /proc/kcore.
	eg. dd if=/proc/kcore of=/dev/null bs=1M

	Some example false negatives:

	===============================
	BUG: KFENCE: invalid read in copy_from_kernel_nofault+0x9c/0x1a0
	Invalid read at 0xc0000000fdff0000:
	copy_from_kernel_nofault+0x9c/0x1a0
	0xc00000000665f950
	read_kcore_iter+0x57c/0xa04
	proc_reg_read_iter+0xe4/0x16c
	vfs_read+0x320/0x3ec
	ksys_read+0x90/0x154
	system_call_exception+0x120/0x310
	system_call_vectored_common+0x15c/0x2ec

	BUG: KFENCE: use-after-free read in copy_from_kernel_nofault+0x9c/0x1a0
	Use-after-free read at 0xc0000000fe050000 (in kfence-#2):
	copy_from_kernel_nofault+0x9c/0x1a0
	0xc00000000665f950
	read_kcore_iter+0x57c/0xa04
	proc_reg_read_iter+0xe4/0x16c
	vfs_read+0x320/0x3ec
	ksys_read+0x90/0x154
	system_call_exception+0x120/0x310
	system_call_vectored_common+0x15c/0x2ec

	The Linux kernel CVE team has assigned CVE-2024-56678 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 5.13 with commit 90cbac0e995dd92f7bcf82f74aa50250bf194a4a and fixed in 5.15.174 with commit e0a470b5733c1fe068d5c58b0bb91ad539604bc6
	Issue introduced in 5.13 with commit 90cbac0e995dd92f7bcf82f74aa50250bf194a4a and fixed in 6.1.120 with commit 4d2655754e94741b159aa807b72ea85518a65fd5
	Issue introduced in 5.13 with commit 90cbac0e995dd92f7bcf82f74aa50250bf194a4a and fixed in 6.6.64 with commit 9ea8d8bf9b625e8ad3be6b0432aecdc549914121
	Issue introduced in 5.13 with commit 90cbac0e995dd92f7bcf82f74aa50250bf194a4a and fixed in 6.11.11 with commit 7eaeb7a49b6d16640f9f3c9074c05175d74c710b
	Issue introduced in 5.13 with commit 90cbac0e995dd92f7bcf82f74aa50250bf194a4a and fixed in 6.12.2 with commit 15f78d2c3d1452645bd8b9da909b0ca266f83c43
	Issue introduced in 5.13 with commit 90cbac0e995dd92f7bcf82f74aa50250bf194a4a and fixed in 6.13 with commit 06dbbb4d5f7126b6307ab807cbf04ecfc459b933

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-56678
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	arch/powerpc/mm/fault.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/e0a470b5733c1fe068d5c58b0bb91ad539604bc6
	https://git.kernel.org/stable/c/4d2655754e94741b159aa807b72ea85518a65fd5
	https://git.kernel.org/stable/c/9ea8d8bf9b625e8ad3be6b0432aecdc549914121
	https://git.kernel.org/stable/c/7eaeb7a49b6d16640f9f3c9074c05175d74c710b
	https://git.kernel.org/stable/c/15f78d2c3d1452645bd8b9da909b0ca266f83c43
	https://git.kernel.org/stable/c/06dbbb4d5f7126b6307ab807cbf04ecfc459b933