CVE-2024-26674— x86/lib: Revert to _ASM_EXTABLE_UA() for {get,put}_user() fixups
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2024-26674
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
x86/lib: Revert to _ASM_EXTABLE_UA() for {get,put}_user() fixups
Source: NVD (National Vulnerability Database)
Vulnerability Description
In the Linux kernel, the following vulnerability has been resolved: x86/lib: Revert to _ASM_EXTABLE_UA() for {get,put}_user() fixups During memory error injection test on kernels >= v6.4, the kernel panics like below. However, this issue couldn't be reproduced on kernels <= v6.3. mce: [Hardware Error]: CPU 296: Machine Check Exception: f Bank 1: bd80000000100134 mce: [Hardware Error]: RIP 10:<ffffffff821b9776> {__get_user_nocheck_4+0x6/0x20} mce: [Hardware Error]: TSC 411a93533ed ADDR 346a8730040 MISC 86 mce: [Hardware Error]: PROCESSOR 0:a06d0 TIME 1706000767 SOCKET 1 APIC 211 microcode 80001490 mce: [Hardware Error]: Run the above through 'mcelog --ascii' mce: [Hardware Error]: Machine check: Data load in unrecoverable area of kernel Kernel panic - not syncing: Fatal local machine check The MCA code can recover from an in-kernel #MC if the fixup type is EX_TYPE_UACCESS, explicitly indicating that the kernel is attempting to access userspace memory. However, if the fixup type is EX_TYPE_DEFAULT the only thing that is raised for an in-kernel #MC is a panic. ex_handler_uaccess() would warn if users gave a non-canonical addresses (with bit 63 clear) to {get, put}_user(), which was unexpected. Therefore, commit b19b74bc99b1 ("x86/mm: Rework address range check in get_user() and put_user()") replaced _ASM_EXTABLE_UA() with _ASM_EXTABLE() for {get, put}_user() fixups. However, the new fixup type EX_TYPE_DEFAULT results in a panic. Commit 6014bc27561f ("x86-64: make access_ok() independent of LAM") added the check gp_fault_address_ok() right before the WARN_ONCE() in ex_handler_uaccess() to not warn about non-canonical user addresses due to LAM. With that in place, revert back to _ASM_EXTABLE_UA() for {get,put}_user() exception fixups in order to be able to handle in-kernel MCEs correctly again. [ bp: Massage commit message. ]
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Title
Linux kernel 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel存在安全漏洞,该漏洞源于 _ASM_EXTABLE_UA 存在安全漏洞。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2024-26674
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2024-26674
请登录查看更多情报信息。
Same Patch Batch · Linux · 2024-04-02 · 35 CVEs total
| CVE-2024-26677 | rxrpc: Fix delayed ACKs to not set the reference serial number | |
| CVE-2023-52634 | drm/amd/display: Fix disable_otg_wa logic | |
| CVE-2023-52635 | PM / devfreq: Synchronize devfreq_monitor_[start/stop] | |
| CVE-2024-26671 | blk-mq: fix IO hang from sbitmap wakeup race | |
| CVE-2024-26672 | drm/amdgpu: Fix variable 'mca_funcs' dereferenced before NULL check in 'amdgpu_mca_smu_get | |
| CVE-2024-26673 | netfilter: nft_ct: sanitize layer 3 and 4 protocol number in custom expectations | |
| CVE-2023-52636 | libceph: just wait for more data to be available on the socket | |
| CVE-2024-26675 | ppp_async: limit MRU to 64K | |
| CVE-2024-26676 | af_unix: Call kfree_skb() for dead unix_(sk)->oob_skb in GC. | |
| CVE-2023-52633 | um: time-travel: fix time corruption | |
| CVE-2024-26678 | x86/efistub: Use 1:1 file:memory mapping for PE/COFF .compat section | |
| CVE-2024-26679 | inet: read sk->sk_family once in inet_recv_error() | |
| CVE-2024-26680 | net: atlantic: Fix DMA mapping for PTP hwts ring | |
| CVE-2024-26681 | netdevsim: avoid potential loop in nsim_dev_trap_report_work() | |
| CVE-2024-26682 | wifi: mac80211: improve CSA/ECSA connection refusal | |
| CVE-2024-26683 | wifi: cfg80211: detect stuck ECSA element in probe resp | |
| CVE-2024-26684 | net: stmmac: xgmac: fix handling of DPP safety error for DMA channels | |
| CVE-2024-26664 | hwmon: (coretemp) Fix out-of-bounds memory access | |
| CVE-2024-26657 | drm/sched: fix null-ptr-deref in init entity | |
| CVE-2023-52631 | fs/ntfs3: Fix an NULL dereference bug |
Showing top 20 of 35 CVEs. View all on vendor page → →
IV. Related Vulnerabilities
Same product: Linux
- CVE-2026-43500
rxrpc: Also unshare DATA/RESPONSE packets when paged frags a - CVE-2026-43475
scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT - CVE-2026-43474
fs: init flags_valid before calling vfs_fileattr_get - CVE-2026-43473
scsi: mpi3mr: Add NULL checks when resetting request and rep - CVE-2026-43472
unshare: fix unshare_fs() handling
Same vendor: Linux
- CVE-2026-43500
rxrpc: Also unshare DATA/RESPONSE packets when paged frags a - CVE-2026-43475
scsi: storvsc: Fix scheduling while atomic on PREEMPT_RT - CVE-2026-43474
fs: init flags_valid before calling vfs_fileattr_get - CVE-2026-43473
scsi: mpi3mr: Add NULL checks when resetting request and rep - CVE-2026-43472
unshare: fix unshare_fs() handling
V. Comments for CVE-2024-26674
No comments yet