| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2024122832-CVE-2024-56678-977d@gregkh> Date: Sat, 28 Dec 2024 10:45:30 +0100 From: Greg Kroah-Hartman <gregkh@...uxfoundation.org> To: linux-cve-announce@...r.kernel.org Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org> Subject: CVE-2024-56678: powerpc/mm/fault: Fix kfence page fault reporting Description =========== In the Linux kernel, the following vulnerability has been resolved: powerpc/mm/fault: Fix kfence page fault reporting copy_from_kernel_nofault() can be called when doing read of /proc/kcore. /proc/kcore can have some unmapped kfence objects which when read via copy_from_kernel_nofault() can cause page faults. Since *_nofault() functions define their own fixup table for handling fault, use that instead of asking kfence to handle such faults. Hence we search the exception tables for the nip which generated the fault. If there is an entry then we let the fixup table handler handle the page fault by returning an error from within ___do_page_fault(). This can be easily triggered if someone tries to do dd from /proc/kcore. eg. dd if=/proc/kcore of=/dev/null bs=1M Some example false negatives: =============================== BUG: KFENCE: invalid read in copy_from_kernel_nofault+0x9c/0x1a0 Invalid read at 0xc0000000fdff0000: copy_from_kernel_nofault+0x9c/0x1a0 0xc00000000665f950 read_kcore_iter+0x57c/0xa04 proc_reg_read_iter+0xe4/0x16c vfs_read+0x320/0x3ec ksys_read+0x90/0x154 system_call_exception+0x120/0x310 system_call_vectored_common+0x15c/0x2ec BUG: KFENCE: use-after-free read in copy_from_kernel_nofault+0x9c/0x1a0 Use-after-free read at 0xc0000000fe050000 (in kfence-#2): copy_from_kernel_nofault+0x9c/0x1a0 0xc00000000665f950 read_kcore_iter+0x57c/0xa04 proc_reg_read_iter+0xe4/0x16c vfs_read+0x320/0x3ec ksys_read+0x90/0x154 system_call_exception+0x120/0x310 system_call_vectored_common+0x15c/0x2ec The Linux kernel CVE team has assigned CVE-2024-56678 to this issue. Affected and fixed versions =========================== Issue introduced in 5.13 with commit 90cbac0e995dd92f7bcf82f74aa50250bf194a4a and fixed in 5.15.174 with commit e0a470b5733c1fe068d5c58b0bb91ad539604bc6 Issue introduced in 5.13 with commit 90cbac0e995dd92f7bcf82f74aa50250bf194a4a and fixed in 6.1.120 with commit 4d2655754e94741b159aa807b72ea85518a65fd5 Issue introduced in 5.13 with commit 90cbac0e995dd92f7bcf82f74aa50250bf194a4a and fixed in 6.6.64 with commit 9ea8d8bf9b625e8ad3be6b0432aecdc549914121 Issue introduced in 5.13 with commit 90cbac0e995dd92f7bcf82f74aa50250bf194a4a and fixed in 6.11.11 with commit 7eaeb7a49b6d16640f9f3c9074c05175d74c710b Issue introduced in 5.13 with commit 90cbac0e995dd92f7bcf82f74aa50250bf194a4a and fixed in 6.12.2 with commit 15f78d2c3d1452645bd8b9da909b0ca266f83c43 Issue introduced in 5.13 with commit 90cbac0e995dd92f7bcf82f74aa50250bf194a4a and fixed in 6.13-rc1 with commit 06dbbb4d5f7126b6307ab807cbf04ecfc459b933 Please see https://www.kernel.org for a full list of currently supported kernel versions by the kernel community. Unaffected versions might change over time as fixes are backported to older supported kernel versions. The official CVE entry at https://cve.org/CVERecord/?id=CVE-2024-56678 will be updated if fixes are backported, please check that for the most up to date information about this issue. Affected files ============== The file(s) affected by this issue are: arch/powerpc/mm/fault.c Mitigation ========== The Linux kernel CVE team recommends that you update to the latest stable kernel version for this, and many other bugfixes. Individual changes are never tested alone, but rather are part of a larger kernel release. Cherry-picking individual commits is not recommended or supported by the Linux kernel community at all. If however, updating to the latest release is impossible, the individual changes to resolve this issue can be found at these commits: https://git.kernel.org/stable/c/e0a470b5733c1fe068d5c58b0bb91ad539604bc6 https://git.kernel.org/stable/c/4d2655754e94741b159aa807b72ea85518a65fd5 https://git.kernel.org/stable/c/9ea8d8bf9b625e8ad3be6b0432aecdc549914121 https://git.kernel.org/stable/c/7eaeb7a49b6d16640f9f3c9074c05175d74c710b https://git.kernel.org/stable/c/15f78d2c3d1452645bd8b9da909b0ca266f83c43 https://git.kernel.org/stable/c/06dbbb4d5f7126b6307ab807cbf04ecfc459b933
Powered by blists - more mailing lists