{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2024-26674","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-02-19T14:20:24.151Z","datePublished":"2024-04-02T07:01:39.114Z","dateUpdated":"2025-05-04T08:53:40.911Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-04T08:53:40.911Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nx86/lib: Revert to _ASM_EXTABLE_UA() for {get,put}_user() fixups\n\nDuring memory error injection test on kernels >= v6.4, the kernel panics\nlike below. However, this issue couldn't be reproduced on kernels <= v6.3.\n\n  mce: [Hardware Error]: CPU 296: Machine Check Exception: f Bank 1: bd80000000100134\n  mce: [Hardware Error]: RIP 10:<ffffffff821b9776> {__get_user_nocheck_4+0x6/0x20}\n  mce: [Hardware Error]: TSC 411a93533ed ADDR 346a8730040 MISC 86\n  mce: [Hardware Error]: PROCESSOR 0:a06d0 TIME 1706000767 SOCKET 1 APIC 211 microcode 80001490\n  mce: [Hardware Error]: Run the above through 'mcelog --ascii'\n  mce: [Hardware Error]: Machine check: Data load in unrecoverable area of kernel\n  Kernel panic - not syncing: Fatal local machine check\n\nThe MCA code can recover from an in-kernel #MC if the fixup type is\nEX_TYPE_UACCESS, explicitly indicating that the kernel is attempting to\naccess userspace memory. However, if the fixup type is EX_TYPE_DEFAULT\nthe only thing that is raised for an in-kernel #MC is a panic.\n\nex_handler_uaccess() would warn if users gave a non-canonical addresses\n(with bit 63 clear) to {get, put}_user(), which was unexpected.\n\nTherefore, commit\n\n  b19b74bc99b1 (\"x86/mm: Rework address range check in get_user() and put_user()\")\n\nreplaced _ASM_EXTABLE_UA() with _ASM_EXTABLE() for {get, put}_user()\nfixups. However, the new fixup type EX_TYPE_DEFAULT results in a panic.\n\nCommit\n\n  6014bc27561f (\"x86-64: make access_ok() independent of LAM\")\n\nadded the check gp_fault_address_ok() right before the WARN_ONCE() in\nex_handler_uaccess() to not warn about non-canonical user addresses due\nto LAM.\n\nWith that in place, revert back to _ASM_EXTABLE_UA() for {get,put}_user()\nexception fixups in order to be able to handle in-kernel MCEs correctly\nagain.\n\n  [ bp: Massage commit message. ]"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["arch/x86/lib/getuser.S","arch/x86/lib/putuser.S"],"versions":[{"version":"b19b74bc99b1501a550f4448d04d59b946dc617a","lessThan":"2aed1b6c33afd8599d01c6532bbecb829480a674","status":"affected","versionType":"git"},{"version":"b19b74bc99b1501a550f4448d04d59b946dc617a","lessThan":"2da241c5ed78d0978228a1150735539fe1a60eca","status":"affected","versionType":"git"},{"version":"b19b74bc99b1501a550f4448d04d59b946dc617a","lessThan":"8eed4e00a370b37b4e5985ed983dccedd555ea9d","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["arch/x86/lib/getuser.S","arch/x86/lib/putuser.S"],"versions":[{"version":"6.4","status":"affected"},{"version":"0","lessThan":"6.4","status":"unaffected","versionType":"semver"},{"version":"6.6.17","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.7.5","lessThanOrEqual":"6.7.*","status":"unaffected","versionType":"semver"},{"version":"6.8","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.4","versionEndExcluding":"6.6.17"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.4","versionEndExcluding":"6.7.5"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"6.4","versionEndExcluding":"6.8"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/2aed1b6c33afd8599d01c6532bbecb829480a674"},{"url":"https://git.kernel.org/stable/c/2da241c5ed78d0978228a1150735539fe1a60eca"},{"url":"https://git.kernel.org/stable/c/8eed4e00a370b37b4e5985ed983dccedd555ea9d"}],"title":"x86/lib: Revert to _ASM_EXTABLE_UA() for {get,put}_user() fixups","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"id":"CVE-2024-26674","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"version":"2.0.3","timestamp":"2024-04-02T12:41:02.015400Z"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-07-05T17:21:22.719Z"}},{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-02T00:14:12.563Z"},"title":"CVE Program Container","references":[{"url":"https://git.kernel.org/stable/c/2aed1b6c33afd8599d01c6532bbecb829480a674","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/2da241c5ed78d0978228a1150735539fe1a60eca","tags":["x_transferred"]},{"url":"https://git.kernel.org/stable/c/8eed4e00a370b37b4e5985ed983dccedd555ea9d","tags":["x_transferred"]}]}]}}