CVE-2024-26906 - Vulnerability Details

In the Linux kernel, the following vulnerability has been resolved: x86/mm: Disallow vsyscall page read for copy_from_kernel_nofault() When trying to use copy_from_kernel_nofault() to read vsyscall page through a bpf program, the following oops was reported: BUG: unable to handle page fault for address: ffffffffff600000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 3231067 P4D 3231067 PUD 3233067 PMD 3235067 PTE 0 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 1 PID: 20390 Comm: test_progs ...... 6.7.0+ #58 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) ...... RIP: 0010:copy_from_kernel_nofault+0x6f/0x110 ...... Call Trace: <TASK> ? copy_from_kernel_nofault+0x6f/0x110 bpf_probe_read_kernel+0x1d/0x50 bpf_prog_2061065e56845f08_do_probe_read+0x51/0x8d trace_call_bpf+0xc5/0x1c0 perf_call_bpf_enter.isra.0+0x69/0xb0 perf_syscall_enter+0x13e/0x200 syscall_trace_enter+0x188/0x1c0 do_syscall_64+0xb5/0xe0 entry_SYSCALL_64_after_hwframe+0x6e/0x76 </TASK> ...... ---[ end trace 0000000000000000 ]--- The oops is triggered when: 1) A bpf program uses bpf_probe_read_kernel() to read from the vsyscall page and invokes copy_from_kernel_nofault() which in turn calls __get_user_asm(). 2) Because the vsyscall page address is not readable from kernel space, a page fault exception is triggered accordingly. 3) handle_page_fault() considers the vsyscall page address as a user space address instead of a kernel space address. This results in the fix-up setup by bpf not being applied and a page_fault_oops() is invoked due to SMAP. Considering handle_page_fault() has already considered the vsyscall page address as a userspace address, fix the problem by disallowing vsyscall page read for copy_from_kernel_nofault().

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Redhat	Enterprise Linux Rhel Eus

No data.

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 8
kernel-rt-0:4.18.0-553.8.1.rt7.349.el8_10	cpe:/a:redhat:enterprise_linux:8::nfv	RHSA-2024:4352	2024-07-08T00:00:00Z
kernel-0:4.18.0-553.8.1.el8_10	cpe:/o:redhat:enterprise_linux:8	RHSA-2024:4211	2024-07-02T00:00:00Z
Red Hat Enterprise Linux 9
kernel-0:5.14.0-503.11.1.el9_5	cpe:/a:redhat:enterprise_linux:9	RHSA-2024:9315	2024-11-12T00:00:00Z
kernel-0:5.14.0-503.11.1.el9_5	cpe:/o:redhat:enterprise_linux:9	RHSA-2024:9315	2024-11-12T00:00:00Z
Red Hat Enterprise Linux 9.2 Extended Update Support
kernel-0:5.14.0-284.92.1.el9_2	cpe:/a:redhat:rhel_eus:9.2	RHSA-2024:9497	2024-11-13T00:00:00Z
kernel-rt-0:5.14.0-284.92.1.rt14.377.el9_2	cpe:/a:redhat:rhel_eus:9.2::nfv	RHSA-2024:9498	2024-11-13T00:00:00Z
Red Hat Enterprise Linux 9.4 Extended Update Support
kernel-0:5.14.0-427.44.1.el9_4	cpe:/a:redhat:rhel_eus:9.4	RHSA-2024:9546	2024-11-13T00:00:00Z

References

Link	Providers
https://git.kernel.org/stable/c/29bd6f86904682adafe9affbc7f79b14defcaff8
https://git.kernel.org/stable/c/32019c659ecfe1d92e3bf9fcdfbb11a7c70acd58
https://git.kernel.org/stable/c/57f78c46f08198e1be08ffe99c4c1ccc12855bf5
https://git.kernel.org/stable/c/6e4694e65b6db4c3de125115dd4f55848cc48381
https://git.kernel.org/stable/c/e8a67fe34b76a49320b33032228a794f40b0316b
https://git.kernel.org/stable/c/f175de546a3eb77614d94d4c02550181c0a8493e
https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html
https://lore.kernel.org/linux-cve-announce/2024041746-CVE-2024-26906-bb35@gregkh/T
https://nvd.nist.gov/vuln/detail/CVE-2024-26906
https://www.cve.org/CVERecord?id=CVE-2024-26906

History

Fri, 22 Nov 2024 12:00:00 +0000

Type	Values Removed	Values Added
References		https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html

Sat, 16 Nov 2024 03:00:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:rhel_eus:9.4

Wed, 13 Nov 2024 15:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Redhat rhel Eus
CPEs		cpe:/a:redhat:rhel_eus:9.2 cpe:/a:redhat:rhel_eus:9.2::nfv
Vendors & Products		Redhat rhel Eus

Wed, 13 Nov 2024 02:45:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:/a:redhat:enterprise_linux:9 cpe:/o:redhat:enterprise_linux:9

Tue, 05 Nov 2024 10:45:00 +0000

Type	Values Removed	Values Added
References	https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html

Wed, 11 Sep 2024 13:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: Linux

Published: 2024-04-17T10:27:53.573Z

Updated: 2025-05-04T08:59:19.712Z

Reserved: 2024-02-19T14:20:24.187Z

Link: CVE-2024-26906

Vulnrichment

Updated: 2024-08-02T00:21:05.490Z

NVD

Status : Awaiting Analysis

Published: 2024-04-17T11:15:11.207

Modified: 2024-11-21T09:03:21.097

Link: CVE-2024-26906

Redhat

Severity : Low

Publid Date: 2024-04-17T00:00:00Z

Links: CVE-2024-26906 - Bugzilla

{"dataType": "CVE_RECORD", "cveMetadata": {"cveId": "CVE-2024-26906", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-02-19T14:20:24.187Z", "datePublished": "2024-04-17T10:27:53.573Z", "dateUpdated": "2025-05-04T08:59:19.712Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T08:59:19.712Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/mm: Disallow vsyscall page read for copy_from_kernel_nofault()\n\nWhen trying to use copy_from_kernel_nofault() to read vsyscall page\nthrough a bpf program, the following oops was reported:\n\n BUG: unable to handle page fault for address: ffffffffff600000\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 3231067 P4D 3231067 PUD 3233067 PMD 3235067 PTE 0\n Oops: 0000 [#1] PREEMPT SMP PTI\n CPU: 1 PID: 20390 Comm: test_progs ...... 6.7.0+ #58\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) ......\n RIP: 0010:copy_from_kernel_nofault+0x6f/0x110\n ......\n Call Trace:\n <TASK>\n ? copy_from_kernel_nofault+0x6f/0x110\n bpf_probe_read_kernel+0x1d/0x50\n bpf_prog_2061065e56845f08_do_probe_read+0x51/0x8d\n trace_call_bpf+0xc5/0x1c0\n perf_call_bpf_enter.isra.0+0x69/0xb0\n perf_syscall_enter+0x13e/0x200\n syscall_trace_enter+0x188/0x1c0\n do_syscall_64+0xb5/0xe0\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\n </TASK>\n ......\n ---[ end trace 0000000000000000 ]---\n\nThe oops is triggered when:\n\n1) A bpf program uses bpf_probe_read_kernel() to read from the vsyscall\npage and invokes copy_from_kernel_nofault() which in turn calls\n__get_user_asm().\n\n2) Because the vsyscall page address is not readable from kernel space,\na page fault exception is triggered accordingly.\n\n3) handle_page_fault() considers the vsyscall page address as a user\nspace address instead of a kernel space address. This results in the\nfix-up setup by bpf not being applied and a page_fault_oops() is invoked\ndue to SMAP.\n\nConsidering handle_page_fault() has already considered the vsyscall page\naddress as a userspace address, fix the problem by disallowing vsyscall\npage read for copy_from_kernel_nofault()."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["arch/x86/mm/maccess.c"], "versions": [{"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "6e4694e65b6db4c3de125115dd4f55848cc48381", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "e8a67fe34b76a49320b33032228a794f40b0316b", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "f175de546a3eb77614d94d4c02550181c0a8493e", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "57f78c46f08198e1be08ffe99c4c1ccc12855bf5", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "29bd6f86904682adafe9affbc7f79b14defcaff8", "status": "affected", "versionType": "git"}, {"version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "32019c659ecfe1d92e3bf9fcdfbb11a7c70acd58", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["arch/x86/mm/maccess.c"], "versions": [{"version": "5.10.214", "lessThanOrEqual": "5.10.*", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.153", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.83", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.23", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.7.11", "lessThanOrEqual": "6.7.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.8", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.10.214"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "5.15.153"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.1.83"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.6.23"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.7.11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.8"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/6e4694e65b6db4c3de125115dd4f55848cc48381"}, {"url": "https://git.kernel.org/stable/c/e8a67fe34b76a49320b33032228a794f40b0316b"}, {"url": "https://git.kernel.org/stable/c/f175de546a3eb77614d94d4c02550181c0a8493e"}, {"url": "https://git.kernel.org/stable/c/57f78c46f08198e1be08ffe99c4c1ccc12855bf5"}, {"url": "https://git.kernel.org/stable/c/29bd6f86904682adafe9affbc7f79b14defcaff8"}, {"url": "https://git.kernel.org/stable/c/32019c659ecfe1d92e3bf9fcdfbb11a7c70acd58"}], "title": "x86/mm: Disallow vsyscall page read for copy_from_kernel_nofault()", "x_generator": {"engine": "bippy-1.2.0"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:21:05.490Z"}, "title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/6e4694e65b6db4c3de125115dd4f55848cc48381", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/e8a67fe34b76a49320b33032228a794f40b0316b", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/f175de546a3eb77614d94d4c02550181c0a8493e", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/57f78c46f08198e1be08ffe99c4c1ccc12855bf5", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/29bd6f86904682adafe9affbc7f79b14defcaff8", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/32019c659ecfe1d92e3bf9fcdfbb11a7c70acd58", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-26906", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T15:47:59.842385Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T17:33:22.186Z"}}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://git.kernel.org/stable/c/6e4694e65b6db4c3de125115dd4f55848cc48381", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/e8a67fe34b76a49320b33032228a794f40b0316b", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/f175de546a3eb77614d94d4c02550181c0a8493e", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/57f78c46f08198e1be08ffe99c4c1ccc12855bf5", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/29bd6f86904682adafe9affbc7f79b14defcaff8", "tags": ["x_transferred"]}, {"url": "https://git.kernel.org/stable/c/32019c659ecfe1d92e3bf9fcdfbb11a7c70acd58", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T00:21:05.490Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-26906", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-10T15:47:59.842385Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-11T12:42:16.360Z"}}], "cna": {"title": "x86/mm: Disallow vsyscall page read for copy_from_kernel_nofault()", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "6e4694e65b6db4c3de125115dd4f55848cc48381", "versionType": "git"}, {"status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "e8a67fe34b76a49320b33032228a794f40b0316b", "versionType": "git"}, {"status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "f175de546a3eb77614d94d4c02550181c0a8493e", "versionType": "git"}, {"status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "57f78c46f08198e1be08ffe99c4c1ccc12855bf5", "versionType": "git"}, {"status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "29bd6f86904682adafe9affbc7f79b14defcaff8", "versionType": "git"}, {"status": "affected", "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2", "lessThan": "32019c659ecfe1d92e3bf9fcdfbb11a7c70acd58", "versionType": "git"}], "programFiles": ["arch/x86/mm/maccess.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "unaffected", "version": "5.10.214", "versionType": "semver", "lessThanOrEqual": "5.10.*"}, {"status": "unaffected", "version": "5.15.153", "versionType": "semver", "lessThanOrEqual": "5.15.*"}, {"status": "unaffected", "version": "6.1.83", "versionType": "semver", "lessThanOrEqual": "6.1.*"}, {"status": "unaffected", "version": "6.6.23", "versionType": "semver", "lessThanOrEqual": "6.6.*"}, {"status": "unaffected", "version": "6.7.11", "versionType": "semver", "lessThanOrEqual": "6.7.*"}, {"status": "unaffected", "version": "6.8", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["arch/x86/mm/maccess.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/6e4694e65b6db4c3de125115dd4f55848cc48381"}, {"url": "https://git.kernel.org/stable/c/e8a67fe34b76a49320b33032228a794f40b0316b"}, {"url": "https://git.kernel.org/stable/c/f175de546a3eb77614d94d4c02550181c0a8493e"}, {"url": "https://git.kernel.org/stable/c/57f78c46f08198e1be08ffe99c4c1ccc12855bf5"}, {"url": "https://git.kernel.org/stable/c/29bd6f86904682adafe9affbc7f79b14defcaff8"}, {"url": "https://git.kernel.org/stable/c/32019c659ecfe1d92e3bf9fcdfbb11a7c70acd58"}], "x_generator": {"engine": "bippy-5f407fcff5a0"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/mm: Disallow vsyscall page read for copy_from_kernel_nofault()\n\nWhen trying to use copy_from_kernel_nofault() to read vsyscall page\nthrough a bpf program, the following oops was reported:\n\n BUG: unable to handle page fault for address: ffffffffff600000\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 3231067 P4D 3231067 PUD 3233067 PMD 3235067 PTE 0\n Oops: 0000 [#1] PREEMPT SMP PTI\n CPU: 1 PID: 20390 Comm: test_progs ...... 6.7.0+ #58\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) ......\n RIP: 0010:copy_from_kernel_nofault+0x6f/0x110\n ......\n Call Trace:\n <TASK>\n ? copy_from_kernel_nofault+0x6f/0x110\n bpf_probe_read_kernel+0x1d/0x50\n bpf_prog_2061065e56845f08_do_probe_read+0x51/0x8d\n trace_call_bpf+0xc5/0x1c0\n perf_call_bpf_enter.isra.0+0x69/0xb0\n perf_syscall_enter+0x13e/0x200\n syscall_trace_enter+0x188/0x1c0\n do_syscall_64+0xb5/0xe0\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\n </TASK>\n ......\n ---[ end trace 0000000000000000 ]---\n\nThe oops is triggered when:\n\n1) A bpf program uses bpf_probe_read_kernel() to read from the vsyscall\npage and invokes copy_from_kernel_nofault() which in turn calls\n__get_user_asm().\n\n2) Because the vsyscall page address is not readable from kernel space,\na page fault exception is triggered accordingly.\n\n3) handle_page_fault() considers the vsyscall page address as a user\nspace address instead of a kernel space address. This results in the\nfix-up setup by bpf not being applied and a page_fault_oops() is invoked\ndue to SMAP.\n\nConsidering handle_page_fault() has already considered the vsyscall page\naddress as a userspace address, fix the problem by disallowing vsyscall\npage read for copy_from_kernel_nofault()."}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2024-12-19T08:49:52.787Z"}}}, "cveMetadata": {"cveId": "CVE-2024-26906", "state": "PUBLISHED", "dateUpdated": "2024-12-19T08:49:52.787Z", "dateReserved": "2024-02-19T14:20:24.187Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-04-17T10:27:53.573Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/mm: Disallow vsyscall page read for copy_from_kernel_nofault()\n\nWhen trying to use copy_from_kernel_nofault() to read vsyscall page\nthrough a bpf program, the following oops was reported:\n\n BUG: unable to handle page fault for address: ffffffffff600000\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 3231067 P4D 3231067 PUD 3233067 PMD 3235067 PTE 0\n Oops: 0000 [#1] PREEMPT SMP PTI\n CPU: 1 PID: 20390 Comm: test_progs ...... 6.7.0+ #58\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) ......\n RIP: 0010:copy_from_kernel_nofault+0x6f/0x110\n ......\n Call Trace:\n <TASK>\n ? copy_from_kernel_nofault+0x6f/0x110\n bpf_probe_read_kernel+0x1d/0x50\n bpf_prog_2061065e56845f08_do_probe_read+0x51/0x8d\n trace_call_bpf+0xc5/0x1c0\n perf_call_bpf_enter.isra.0+0x69/0xb0\n perf_syscall_enter+0x13e/0x200\n syscall_trace_enter+0x188/0x1c0\n do_syscall_64+0xb5/0xe0\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\n </TASK>\n ......\n ---[ end trace 0000000000000000 ]---\n\nThe oops is triggered when:\n\n1) A bpf program uses bpf_probe_read_kernel() to read from the vsyscall\npage and invokes copy_from_kernel_nofault() which in turn calls\n__get_user_asm().\n\n2) Because the vsyscall page address is not readable from kernel space,\na page fault exception is triggered accordingly.\n\n3) handle_page_fault() considers the vsyscall page address as a user\nspace address instead of a kernel space address. This results in the\nfix-up setup by bpf not being applied and a page_fault_oops() is invoked\ndue to SMAP.\n\nConsidering handle_page_fault() has already considered the vsyscall page\naddress as a userspace address, fix the problem by disallowing vsyscall\npage read for copy_from_kernel_nofault()."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: x86/mm: no permitir la lectura de la p\u00e1gina vsyscall para copy_from_kernel_nofault() Al intentar usar copy_from_kernel_nofault() para leer la p\u00e1gina vsyscall a trav\u00e9s de un programa bpf, se inform\u00f3 lo siguiente: ERROR: no se puede manejar el error de p\u00e1gina para la direcci\u00f3n: ffffffffff600000 #PF: acceso de lectura del supervisor en modo kernel #PF: error_code(0x0000) - p\u00e1gina no presente PGD 3231067 P4D 3231067 PUD 3233067 PMD 3235067 PTE 0 Ups: 0000 [#1] PREEMPT SMP PTI CPU: 1 PID: 20390 Comm: test_progs ...... 6.7.0+ #58 Nombre de hardware: PC est\u00e1ndar QEMU (i440FX + PIIX, 1996) ...... RIP: 0010:copy_from_kernel_nofault+0x6f/0x110... ... Seguimiento de llamadas: ? copy_from_kernel_nofault+0x6f/0x110 bpf_probe_read_kernel+0x1d/0x50 bpf_prog_2061065e56845f08_do_probe_read+0x51/0x8d trace_call_bpf+0xc5/0x1c0 perf_call_bpf_enter.isra.0+0x69/0xb 0 perf_syscall_enter+0x13e/0x200 syscall_trace_enter+0x188/0x1c0 do_syscall_64+0xb5/0xe0 Entry_SYSCALL_64_after_hwframe+0x6e/0x76 < /TASK> ...... ---[ end trace 0000000000000000 ]--- Ups se activa cuando: 1) Un programa bpf usa bpf_probe_read_kernel() para leer desde la p\u00e1gina vsyscall e invoca copy_from_kernel_nofault() que a su vez llama __get_user_asm(). 2) Debido a que la direcci\u00f3n de la p\u00e1gina vsyscall no se puede leer desde el espacio del kernel, se activa una excepci\u00f3n de error de p\u00e1gina en consecuencia. 3) handle_page_fault() considera la direcci\u00f3n de la p\u00e1gina vsyscall como una direcci\u00f3n de espacio de usuario en lugar de una direcci\u00f3n de espacio de kernel. Esto da como resultado que no se aplique la configuraci\u00f3n de reparaci\u00f3n mediante bpf y se invoque page_fault_oops() debido a SMAP. Teniendo en cuenta que handle_page_fault() ya ha considerado la direcci\u00f3n de la p\u00e1gina vsyscall como una direcci\u00f3n de espacio de usuario, solucione el problema no permitiendo la lectura de la p\u00e1gina vsyscall para copy_from_kernel_nofault()."}], "id": "CVE-2024-26906", "lastModified": "2024-11-21T09:03:21.097", "metrics": {}, "published": "2024-04-17T11:15:11.207", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/29bd6f86904682adafe9affbc7f79b14defcaff8"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/32019c659ecfe1d92e3bf9fcdfbb11a7c70acd58"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/57f78c46f08198e1be08ffe99c4c1ccc12855bf5"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/6e4694e65b6db4c3de125115dd4f55848cc48381"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/e8a67fe34b76a49320b33032228a794f40b0316b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/f175de546a3eb77614d94d4c02550181c0a8493e"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.kernel.org/stable/c/29bd6f86904682adafe9affbc7f79b14defcaff8"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.kernel.org/stable/c/32019c659ecfe1d92e3bf9fcdfbb11a7c70acd58"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.kernel.org/stable/c/57f78c46f08198e1be08ffe99c4c1ccc12855bf5"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.kernel.org/stable/c/6e4694e65b6db4c3de125115dd4f55848cc48381"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.kernel.org/stable/c/e8a67fe34b76a49320b33032228a794f40b0316b"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://git.kernel.org/stable/c/f175de546a3eb77614d94d4c02550181c0a8493e"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"affected_release": [{"advisory": "RHSA-2024:4352", "cpe": "cpe:/a:redhat:enterprise_linux:8::nfv", "package": "kernel-rt-0:4.18.0-553.8.1.rt7.349.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-07-08T00:00:00Z"}, {"advisory": "RHSA-2024:4211", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "kernel-0:4.18.0-553.8.1.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-07-02T00:00:00Z"}, {"advisory": "RHSA-2024:9315", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "kernel-0:5.14.0-503.11.1.el9_5", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-11-12T00:00:00Z"}, {"advisory": "RHSA-2024:9315", "cpe": "cpe:/o:redhat:enterprise_linux:9", "package": "kernel-0:5.14.0-503.11.1.el9_5", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2024-11-12T00:00:00Z"}, {"advisory": "RHSA-2024:9497", "cpe": "cpe:/a:redhat:rhel_eus:9.2", "package": "kernel-0:5.14.0-284.92.1.el9_2", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2024-11-13T00:00:00Z"}, {"advisory": "RHSA-2024:9498", "cpe": "cpe:/a:redhat:rhel_eus:9.2::nfv", "package": "kernel-rt-0:5.14.0-284.92.1.rt14.377.el9_2", "product_name": "Red Hat Enterprise Linux 9.2 Extended Update Support", "release_date": "2024-11-13T00:00:00Z"}, {"advisory": "RHSA-2024:9546", "cpe": "cpe:/a:redhat:rhel_eus:9.4", "package": "kernel-0:5.14.0-427.44.1.el9_4", "product_name": "Red Hat Enterprise Linux 9.4 Extended Update Support", "release_date": "2024-11-13T00:00:00Z"}], "bugzilla": {"description": "kernel: x86/mm: Disallow vsyscall page read for copy_from_kernel_nofault()", "id": "2275635", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2275635"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-20", "details": ["In the Linux kernel, the following vulnerability has been resolved:\nx86/mm: Disallow vsyscall page read for copy_from_kernel_nofault()\nWhen trying to use copy_from_kernel_nofault() to read vsyscall page\nthrough a bpf program, the following oops was reported:\nBUG: unable to handle page fault for address: ffffffffff600000\n#PF: supervisor read access in kernel mode\n#PF: error_code(0x0000) - not-present page\nPGD 3231067 P4D 3231067 PUD 3233067 PMD 3235067 PTE 0\nOops: 0000 [#1] PREEMPT SMP PTI\nCPU: 1 PID: 20390 Comm: test_progs ...... 6.7.0+ #58\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996) ......\nRIP: 0010:copy_from_kernel_nofault+0x6f/0x110\n......\nCall Trace:\n<TASK>\n? copy_from_kernel_nofault+0x6f/0x110\nbpf_probe_read_kernel+0x1d/0x50\nbpf_prog_2061065e56845f08_do_probe_read+0x51/0x8d\ntrace_call_bpf+0xc5/0x1c0\nperf_call_bpf_enter.isra.0+0x69/0xb0\nperf_syscall_enter+0x13e/0x200\nsyscall_trace_enter+0x188/0x1c0\ndo_syscall_64+0xb5/0xe0\nentry_SYSCALL_64_after_hwframe+0x6e/0x76\n</TASK>\n......\n---[ end trace 0000000000000000 ]---\nThe oops is triggered when:\n1) A bpf program uses bpf_probe_read_kernel() to read from the vsyscall\npage and invokes copy_from_kernel_nofault() which in turn calls\n__get_user_asm().\n2) Because the vsyscall page address is not readable from kernel space,\na page fault exception is triggered accordingly.\n3) handle_page_fault() considers the vsyscall page address as a user\nspace address instead of a kernel space address. This results in the\nfix-up setup by bpf not being applied and a page_fault_oops() is invoked\ndue to SMAP.\nConsidering handle_page_fault() has already considered the vsyscall page\naddress as a userspace address, fix the problem by disallowing vsyscall\npage read for copy_from_kernel_nofault()."], "name": "CVE-2024-26906", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-04-17T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-26906\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-26906\nhttps://lore.kernel.org/linux-cve-announce/2024041746-CVE-2024-26906-bb35@gregkh/T"], "threat_severity": "Low"}

Metrics

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object