cve/published/2024/CVE-2024-26674.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-26674: x86/lib: Revert to _ASM_EXTABLE_UA() for {get,put}_user() fixups

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 x86/lib: Revert to _ASM_EXTABLE_UA() for {get,put}_user() fixups

 During memory error injection test on kernels >= v6.4, the kernel panics
 like below. However, this issue couldn't be reproduced on kernels <= v6.3.

   mce: [Hardware Error]: CPU 296: Machine Check Exception: f Bank 1: bd80000000100134
   mce: [Hardware Error]: RIP 10:<ffffffff821b9776> {__get_user_nocheck_4+0x6/0x20}
   mce: [Hardware Error]: TSC 411a93533ed ADDR 346a8730040 MISC 86
   mce: [Hardware Error]: PROCESSOR 0:a06d0 TIME 1706000767 SOCKET 1 APIC 211 microcode 80001490
   mce: [Hardware Error]: Run the above through 'mcelog --ascii'
   mce: [Hardware Error]: Machine check: Data load in unrecoverable area of kernel
   Kernel panic - not syncing: Fatal local machine check

 The MCA code can recover from an in-kernel #MC if the fixup type is
 EX_TYPE_UACCESS, explicitly indicating that the kernel is attempting to
 access userspace memory. However, if the fixup type is EX_TYPE_DEFAULT
 the only thing that is raised for an in-kernel #MC is a panic.

 ex_handler_uaccess() would warn if users gave a non-canonical addresses
 (with bit 63 clear) to {get, put}_user(), which was unexpected.

 Therefore, commit

   b19b74bc99b1 ("x86/mm: Rework address range check in get_user() and put_user()")

 replaced _ASM_EXTABLE_UA() with _ASM_EXTABLE() for {get, put}_user()
 fixups. However, the new fixup type EX_TYPE_DEFAULT results in a panic.

 Commit

   6014bc27561f ("x86-64: make access_ok() independent of LAM")

 added the check gp_fault_address_ok() right before the WARN_ONCE() in
 ex_handler_uaccess() to not warn about non-canonical user addresses due
 to LAM.

 With that in place, revert back to _ASM_EXTABLE_UA() for {get,put}_user()
 exception fixups in order to be able to handle in-kernel MCEs correctly
 again.

   [ bp: Massage commit message. ]

 The Linux kernel CVE team has assigned CVE-2024-26674 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.4 with commit b19b74bc99b1501a550f4448d04d59b946dc617a and fixed in 6.6.17 with commit 2aed1b6c33afd8599d01c6532bbecb829480a674
 	Issue introduced in 6.4 with commit b19b74bc99b1501a550f4448d04d59b946dc617a and fixed in 6.7.5 with commit 2da241c5ed78d0978228a1150735539fe1a60eca
 	Issue introduced in 6.4 with commit b19b74bc99b1501a550f4448d04d59b946dc617a and fixed in 6.8 with commit 8eed4e00a370b37b4e5985ed983dccedd555ea9d

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-26674
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	arch/x86/lib/getuser.S
 	arch/x86/lib/putuser.S


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/2aed1b6c33afd8599d01c6532bbecb829480a674
 	https://git.kernel.org/stable/c/2da241c5ed78d0978228a1150735539fe1a60eca
 	https://git.kernel.org/stable/c/8eed4e00a370b37b4e5985ed983dccedd555ea9d
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-26674: x86/lib: Revert to _ASM_EXTABLE_UA() for {get,put}_user() fixups

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	x86/lib: Revert to _ASM_EXTABLE_UA() for {get,put}_user() fixups

	During memory error injection test on kernels >= v6.4, the kernel panics
	like below. However, this issue couldn't be reproduced on kernels <= v6.3.

	mce: [Hardware Error]: CPU 296: Machine Check Exception: f Bank 1: bd80000000100134
	mce: [Hardware Error]: RIP 10:<ffffffff821b9776> {__get_user_nocheck_4+0x6/0x20}
	mce: [Hardware Error]: TSC 411a93533ed ADDR 346a8730040 MISC 86
	mce: [Hardware Error]: PROCESSOR 0:a06d0 TIME 1706000767 SOCKET 1 APIC 211 microcode 80001490
	mce: [Hardware Error]: Run the above through 'mcelog --ascii'
	mce: [Hardware Error]: Machine check: Data load in unrecoverable area of kernel
	Kernel panic - not syncing: Fatal local machine check

	The MCA code can recover from an in-kernel #MC if the fixup type is
	EX_TYPE_UACCESS, explicitly indicating that the kernel is attempting to
	access userspace memory. However, if the fixup type is EX_TYPE_DEFAULT
	the only thing that is raised for an in-kernel #MC is a panic.

	ex_handler_uaccess() would warn if users gave a non-canonical addresses
	(with bit 63 clear) to {get, put}_user(), which was unexpected.

	Therefore, commit

	b19b74bc99b1 ("x86/mm: Rework address range check in get_user() and put_user()")

	replaced _ASM_EXTABLE_UA() with _ASM_EXTABLE() for {get, put}_user()
	fixups. However, the new fixup type EX_TYPE_DEFAULT results in a panic.

	Commit

	6014bc27561f ("x86-64: make access_ok() independent of LAM")

	added the check gp_fault_address_ok() right before the WARN_ONCE() in
	ex_handler_uaccess() to not warn about non-canonical user addresses due
	to LAM.

	With that in place, revert back to _ASM_EXTABLE_UA() for {get,put}_user()
	exception fixups in order to be able to handle in-kernel MCEs correctly
	again.

	[ bp: Massage commit message. ]

	The Linux kernel CVE team has assigned CVE-2024-26674 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.4 with commit b19b74bc99b1501a550f4448d04d59b946dc617a and fixed in 6.6.17 with commit 2aed1b6c33afd8599d01c6532bbecb829480a674
	Issue introduced in 6.4 with commit b19b74bc99b1501a550f4448d04d59b946dc617a and fixed in 6.7.5 with commit 2da241c5ed78d0978228a1150735539fe1a60eca
	Issue introduced in 6.4 with commit b19b74bc99b1501a550f4448d04d59b946dc617a and fixed in 6.8 with commit 8eed4e00a370b37b4e5985ed983dccedd555ea9d

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-26674
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	arch/x86/lib/getuser.S
	arch/x86/lib/putuser.S


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/2aed1b6c33afd8599d01c6532bbecb829480a674
	https://git.kernel.org/stable/c/2da241c5ed78d0978228a1150735539fe1a60eca
	https://git.kernel.org/stable/c/8eed4e00a370b37b4e5985ed983dccedd555ea9d