cve/published/2024/CVE-2024-26906.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-26906: x86/mm: Disallow vsyscall page read for copy_from_kernel_nofault()

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 x86/mm: Disallow vsyscall page read for copy_from_kernel_nofault()

 When trying to use copy_from_kernel_nofault() to read vsyscall page
 through a bpf program, the following oops was reported:

   BUG: unable to handle page fault for address: ffffffffff600000
   #PF: supervisor read access in kernel mode
   #PF: error_code(0x0000) - not-present page
   PGD 3231067 P4D 3231067 PUD 3233067 PMD 3235067 PTE 0
   Oops: 0000 [#1] PREEMPT SMP PTI
   CPU: 1 PID: 20390 Comm: test_progs ...... 6.7.0+ #58
   Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) ......
   RIP: 0010:copy_from_kernel_nofault+0x6f/0x110
   ......
   Call Trace:
    <TASK>
    ? copy_from_kernel_nofault+0x6f/0x110
    bpf_probe_read_kernel+0x1d/0x50
    bpf_prog_2061065e56845f08_do_probe_read+0x51/0x8d
    trace_call_bpf+0xc5/0x1c0
    perf_call_bpf_enter.isra.0+0x69/0xb0
    perf_syscall_enter+0x13e/0x200
    syscall_trace_enter+0x188/0x1c0
    do_syscall_64+0xb5/0xe0
    entry_SYSCALL_64_after_hwframe+0x6e/0x76
    </TASK>
   ......
   ---[ end trace 0000000000000000 ]---

 The oops is triggered when:

 1) A bpf program uses bpf_probe_read_kernel() to read from the vsyscall
 page and invokes copy_from_kernel_nofault() which in turn calls
 __get_user_asm().

 2) Because the vsyscall page address is not readable from kernel space,
 a page fault exception is triggered accordingly.

 3) handle_page_fault() considers the vsyscall page address as a user
 space address instead of a kernel space address. This results in the
 fix-up setup by bpf not being applied and a page_fault_oops() is invoked
 due to SMAP.

 Considering handle_page_fault() has already considered the vsyscall page
 address as a userspace address, fix the problem by disallowing vsyscall
 page read for copy_from_kernel_nofault().

 The Linux kernel CVE team has assigned CVE-2024-26906 to this issue.


 Affected and fixed versions
 ===========================

 	Fixed in 5.10.214 with commit 6e4694e65b6db4c3de125115dd4f55848cc48381
 	Fixed in 5.15.153 with commit e8a67fe34b76a49320b33032228a794f40b0316b
 	Fixed in 6.1.83 with commit f175de546a3eb77614d94d4c02550181c0a8493e
 	Fixed in 6.6.23 with commit 57f78c46f08198e1be08ffe99c4c1ccc12855bf5
 	Fixed in 6.7.11 with commit 29bd6f86904682adafe9affbc7f79b14defcaff8
 	Fixed in 6.8 with commit 32019c659ecfe1d92e3bf9fcdfbb11a7c70acd58

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-26906
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	arch/x86/mm/maccess.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/6e4694e65b6db4c3de125115dd4f55848cc48381
 	https://git.kernel.org/stable/c/e8a67fe34b76a49320b33032228a794f40b0316b
 	https://git.kernel.org/stable/c/f175de546a3eb77614d94d4c02550181c0a8493e
 	https://git.kernel.org/stable/c/57f78c46f08198e1be08ffe99c4c1ccc12855bf5
 	https://git.kernel.org/stable/c/29bd6f86904682adafe9affbc7f79b14defcaff8
 	https://git.kernel.org/stable/c/32019c659ecfe1d92e3bf9fcdfbb11a7c70acd58
	From bippy-5f407fcff5a0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-26906: x86/mm: Disallow vsyscall page read for copy_from_kernel_nofault()

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	x86/mm: Disallow vsyscall page read for copy_from_kernel_nofault()

	When trying to use copy_from_kernel_nofault() to read vsyscall page
	through a bpf program, the following oops was reported:

	BUG: unable to handle page fault for address: ffffffffff600000
	#PF: supervisor read access in kernel mode
	#PF: error_code(0x0000) - not-present page
	PGD 3231067 P4D 3231067 PUD 3233067 PMD 3235067 PTE 0
	Oops: 0000 [#1] PREEMPT SMP PTI
	CPU: 1 PID: 20390 Comm: test_progs ...... 6.7.0+ #58
	Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) ......
	RIP: 0010:copy_from_kernel_nofault+0x6f/0x110
	......
	Call Trace:
	<TASK>
	? copy_from_kernel_nofault+0x6f/0x110
	bpf_probe_read_kernel+0x1d/0x50
	bpf_prog_2061065e56845f08_do_probe_read+0x51/0x8d
	trace_call_bpf+0xc5/0x1c0
	perf_call_bpf_enter.isra.0+0x69/0xb0
	perf_syscall_enter+0x13e/0x200
	syscall_trace_enter+0x188/0x1c0
	do_syscall_64+0xb5/0xe0
	entry_SYSCALL_64_after_hwframe+0x6e/0x76
	</TASK>
	......
	---[ end trace 0000000000000000 ]---

	The oops is triggered when:

	1) A bpf program uses bpf_probe_read_kernel() to read from the vsyscall
	page and invokes copy_from_kernel_nofault() which in turn calls
	__get_user_asm().

	2) Because the vsyscall page address is not readable from kernel space,
	a page fault exception is triggered accordingly.

	3) handle_page_fault() considers the vsyscall page address as a user
	space address instead of a kernel space address. This results in the
	fix-up setup by bpf not being applied and a page_fault_oops() is invoked
	due to SMAP.

	Considering handle_page_fault() has already considered the vsyscall page
	address as a userspace address, fix the problem by disallowing vsyscall
	page read for copy_from_kernel_nofault().

	The Linux kernel CVE team has assigned CVE-2024-26906 to this issue.


	Affected and fixed versions
	===========================

	Fixed in 5.10.214 with commit 6e4694e65b6db4c3de125115dd4f55848cc48381
	Fixed in 5.15.153 with commit e8a67fe34b76a49320b33032228a794f40b0316b
	Fixed in 6.1.83 with commit f175de546a3eb77614d94d4c02550181c0a8493e
	Fixed in 6.6.23 with commit 57f78c46f08198e1be08ffe99c4c1ccc12855bf5
	Fixed in 6.7.11 with commit 29bd6f86904682adafe9affbc7f79b14defcaff8
	Fixed in 6.8 with commit 32019c659ecfe1d92e3bf9fcdfbb11a7c70acd58

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-26906
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	arch/x86/mm/maccess.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/6e4694e65b6db4c3de125115dd4f55848cc48381
	https://git.kernel.org/stable/c/e8a67fe34b76a49320b33032228a794f40b0316b
	https://git.kernel.org/stable/c/f175de546a3eb77614d94d4c02550181c0a8493e
	https://git.kernel.org/stable/c/57f78c46f08198e1be08ffe99c4c1ccc12855bf5
	https://git.kernel.org/stable/c/29bd6f86904682adafe9affbc7f79b14defcaff8
	https://git.kernel.org/stable/c/32019c659ecfe1d92e3bf9fcdfbb11a7c70acd58