fkie_cve-2024-56678
Vulnerability from fkie_nvd
Published
2024-12-28 10:15
Modified
2025-03-24 17:32
Severity ?
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved: powerpc/mm/fault: Fix kfence page fault reporting copy_from_kernel_nofault() can be called when doing read of /proc/kcore. /proc/kcore can have some unmapped kfence objects which when read via copy_from_kernel_nofault() can cause page faults. Since *_nofault() functions define their own fixup table for handling fault, use that instead of asking kfence to handle such faults. Hence we search the exception tables for the nip which generated the fault. If there is an entry then we let the fixup table handler handle the page fault by returning an error from within ___do_page_fault(). This can be easily triggered if someone tries to do dd from /proc/kcore. eg. dd if=/proc/kcore of=/dev/null bs=1M Some example false negatives: =============================== BUG: KFENCE: invalid read in copy_from_kernel_nofault+0x9c/0x1a0 Invalid read at 0xc0000000fdff0000: copy_from_kernel_nofault+0x9c/0x1a0 0xc00000000665f950 read_kcore_iter+0x57c/0xa04 proc_reg_read_iter+0xe4/0x16c vfs_read+0x320/0x3ec ksys_read+0x90/0x154 system_call_exception+0x120/0x310 system_call_vectored_common+0x15c/0x2ec BUG: KFENCE: use-after-free read in copy_from_kernel_nofault+0x9c/0x1a0 Use-after-free read at 0xc0000000fe050000 (in kfence-#2): copy_from_kernel_nofault+0x9c/0x1a0 0xc00000000665f950 read_kcore_iter+0x57c/0xa04 proc_reg_read_iter+0xe4/0x16c vfs_read+0x320/0x3ec ksys_read+0x90/0x154 system_call_exception+0x120/0x310 system_call_vectored_common+0x15c/0x2ec
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/06dbbb4d5f7126b6307ab807cbf04ecfc459b933Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/15f78d2c3d1452645bd8b9da909b0ca266f83c43Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/4d2655754e94741b159aa807b72ea85518a65fd5Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/7eaeb7a49b6d16640f9f3c9074c05175d74c710bPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/9ea8d8bf9b625e8ad3be6b0432aecdc549914121Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/e0a470b5733c1fe068d5c58b0bb91ad539604bc6Patch
Impacted products
Vendor Product Version
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *


To clipboard 

{
   configurations: [
      {
         nodes: [
            {
               cpeMatch: [
                  {
                     criteria: "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "98AAB746-8653-4FD8-9B39-61F09957759F",
                     versionEndExcluding: "5.15.174",
                     versionStartIncluding: "5.13",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "09AC6122-E2A4-40FE-9D33-268A1B2EC265",
                     versionEndExcluding: "6.1.120",
                     versionStartIncluding: "5.16",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "CA16DEE3-ABEC-4449-9F4A-7A3DC4FC36C7",
                     versionEndExcluding: "6.6.64",
                     versionStartIncluding: "6.2",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "21434379-192D-472F-9B54-D45E3650E893",
                     versionEndExcluding: "6.11.11",
                     versionStartIncluding: "6.7",
                     vulnerable: true,
                  },
                  {
                     criteria: "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                     matchCriteriaId: "D8882B1B-2ABC-4838-AC1D-DBDBB5764776",
                     versionEndExcluding: "6.12.2",
                     versionStartIncluding: "6.12",
                     vulnerable: true,
                  },
               ],
               negate: false,
               operator: "OR",
            },
         ],
      },
   ],
   cveTags: [],
   descriptions: [
      {
         lang: "en",
         value: "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/mm/fault: Fix kfence page fault reporting\n\ncopy_from_kernel_nofault() can be called when doing read of /proc/kcore.\n/proc/kcore can have some unmapped kfence objects which when read via\ncopy_from_kernel_nofault() can cause page faults. Since *_nofault()\nfunctions define their own fixup table for handling fault, use that\ninstead of asking kfence to handle such faults.\n\nHence we search the exception tables for the nip which generated the\nfault. If there is an entry then we let the fixup table handler handle the\npage fault by returning an error from within ___do_page_fault().\n\nThis can be easily triggered if someone tries to do dd from /proc/kcore.\neg. dd if=/proc/kcore of=/dev/null bs=1M\n\nSome example false negatives:\n\n  ===============================\n  BUG: KFENCE: invalid read in copy_from_kernel_nofault+0x9c/0x1a0\n  Invalid read at 0xc0000000fdff0000:\n   copy_from_kernel_nofault+0x9c/0x1a0\n   0xc00000000665f950\n   read_kcore_iter+0x57c/0xa04\n   proc_reg_read_iter+0xe4/0x16c\n   vfs_read+0x320/0x3ec\n   ksys_read+0x90/0x154\n   system_call_exception+0x120/0x310\n   system_call_vectored_common+0x15c/0x2ec\n\n  BUG: KFENCE: use-after-free read in copy_from_kernel_nofault+0x9c/0x1a0\n  Use-after-free read at 0xc0000000fe050000 (in kfence-#2):\n   copy_from_kernel_nofault+0x9c/0x1a0\n   0xc00000000665f950\n   read_kcore_iter+0x57c/0xa04\n   proc_reg_read_iter+0xe4/0x16c\n   vfs_read+0x320/0x3ec\n   ksys_read+0x90/0x154\n   system_call_exception+0x120/0x310\n   system_call_vectored_common+0x15c/0x2ec",
      },
      {
         lang: "es",
         value: "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: powerpc/mm/fault: Arreglar el informe de fallos de página de kfence. Se puede llamar a copy_from_kernel_nofault() al realizar una lectura de /proc/kcore. /proc/kcore puede tener algunos objetos kfence no mapeados que, cuando se leen mediante copy_from_kernel_nofault(), pueden causar fallos de página. Dado que las funciones *_nofault() definen su propia tabla de correcciones para gestionar los fallos, utilícela en lugar de pedirle a kfence que se encargue de dichos fallos. Por lo tanto, buscamos en las tablas de excepciones el nip que generó el fallo. Si hay una entrada, dejamos que el controlador de la tabla de correcciones se encargue del fallo de página devolviendo un error desde dentro de ___do_page_fault(). Esto se puede activar fácilmente si alguien intenta hacer dd desde /proc/kcore. p. ej. dd if=/proc/kcore of=/dev/null bs=1M Algunos ejemplos de falsos negativos: ================================ ERROR: KFENCE: lectura no válida en copy_from_kernel_nofault+0x9c/0x1a0 Lectura no válida en 0xc0000000fdff0000: copy_from_kernel_nofault+0x9c/0x1a0 0xc00000000665f950 read_kcore_iter+0x57c/0xa04 proc_reg_read_iter+0xe4/0x16c vfs_read+0x320/0x3ec ksys_read+0x90/0x154 system_call_exception+0x120/0x310 ERROR: KFENCE: lectura de use-after-free en copy_from_kernel_nofault+0x9c/0x1a0 Lectura de use-after-free en 0xc0000000fe050000 (en kfence-#2): copy_from_kernel_nofault+0x9c/0x1a0 0xc00000000665f950 read_kcore_iter+0x57c/0xa04 proc_reg_read_iter+0xe4/0x16c vfs_read+0x320/0x3ec ksys_read+0x90/0x154 system_call_exception+0x120/0x310 system_call_vectored_common+0x15c/0x2ec",
      },
   ],
   id: "CVE-2024-56678",
   lastModified: "2025-03-24T17:32:09.777",
   metrics: {
      cvssMetricV31: [
         {
            cvssData: {
               attackComplexity: "LOW",
               attackVector: "LOCAL",
               availabilityImpact: "HIGH",
               baseScore: 7.8,
               baseSeverity: "HIGH",
               confidentialityImpact: "HIGH",
               integrityImpact: "HIGH",
               privilegesRequired: "LOW",
               scope: "UNCHANGED",
               userInteraction: "NONE",
               vectorString: "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
               version: "3.1",
            },
            exploitabilityScore: 1.8,
            impactScore: 5.9,
            source: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
            type: "Secondary",
         },
      ],
   },
   published: "2024-12-28T10:15:08.797",
   references: [
      {
         source: "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
         tags: [
            "Patch",
         ],
         url: "https://git.kernel.org/stable/c/06dbbb4d5f7126b6307ab807cbf04ecfc459b933",
      },
      {
         source: "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
         tags: [
            "Patch",
         ],
         url: "https://git.kernel.org/stable/c/15f78d2c3d1452645bd8b9da909b0ca266f83c43",
      },
      {
         source: "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
         tags: [
            "Patch",
         ],
         url: "https://git.kernel.org/stable/c/4d2655754e94741b159aa807b72ea85518a65fd5",
      },
      {
         source: "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
         tags: [
            "Patch",
         ],
         url: "https://git.kernel.org/stable/c/7eaeb7a49b6d16640f9f3c9074c05175d74c710b",
      },
      {
         source: "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
         tags: [
            "Patch",
         ],
         url: "https://git.kernel.org/stable/c/9ea8d8bf9b625e8ad3be6b0432aecdc549914121",
      },
      {
         source: "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
         tags: [
            "Patch",
         ],
         url: "https://git.kernel.org/stable/c/e0a470b5733c1fe068d5c58b0bb91ad539604bc6",
      },
   ],
   sourceIdentifier: "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
   vulnStatus: "Analyzed",
   weaknesses: [
      {
         description: [
            {
               lang: "en",
               value: "CWE-416",
            },
         ],
         source: "134c704f-9b21-4f2e-91b3-4a467353bcc0",
         type: "Secondary",
      },
   ],
}


Log in or create an account to share your comment.

Security Advisory comment format.

This schema specifies the format of a comment related to a security advisory.

UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).



Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.