FKIE_CVE-2024-26906

Vulnerability from fkie_nvd - Published: 2024-04-17 11:15 - Updated: 2026-05-12 12:16
Severity
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved: x86/mm: Disallow vsyscall page read for copy_from_kernel_nofault() When trying to use copy_from_kernel_nofault() to read vsyscall page through a bpf program, the following oops was reported: BUG: unable to handle page fault for address: ffffffffff600000 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 3231067 P4D 3231067 PUD 3233067 PMD 3235067 PTE 0 Oops: 0000 [#1] PREEMPT SMP PTI CPU: 1 PID: 20390 Comm: test_progs ...... 6.7.0+ #58 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) ...... RIP: 0010:copy_from_kernel_nofault+0x6f/0x110 ...... Call Trace: <TASK> ? copy_from_kernel_nofault+0x6f/0x110 bpf_probe_read_kernel+0x1d/0x50 bpf_prog_2061065e56845f08_do_probe_read+0x51/0x8d trace_call_bpf+0xc5/0x1c0 perf_call_bpf_enter.isra.0+0x69/0xb0 perf_syscall_enter+0x13e/0x200 syscall_trace_enter+0x188/0x1c0 do_syscall_64+0xb5/0xe0 entry_SYSCALL_64_after_hwframe+0x6e/0x76 </TASK> ...... ---[ end trace 0000000000000000 ]--- The oops is triggered when: 1) A bpf program uses bpf_probe_read_kernel() to read from the vsyscall page and invokes copy_from_kernel_nofault() which in turn calls __get_user_asm(). 2) Because the vsyscall page address is not readable from kernel space, a page fault exception is triggered accordingly. 3) handle_page_fault() considers the vsyscall page address as a user space address instead of a kernel space address. This results in the fix-up setup by bpf not being applied and a page_fault_oops() is invoked due to SMAP. Considering handle_page_fault() has already considered the vsyscall page address as a userspace address, fix the problem by disallowing vsyscall page read for copy_from_kernel_nofault().
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/29bd6f86904682adafe9affbc7f79b14defcaff8Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/32019c659ecfe1d92e3bf9fcdfbb11a7c70acd58Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/57f78c46f08198e1be08ffe99c4c1ccc12855bf5Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/6e4694e65b6db4c3de125115dd4f55848cc48381Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/e8a67fe34b76a49320b33032228a794f40b0316bPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/f175de546a3eb77614d94d4c02550181c0a8493ePatch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/29bd6f86904682adafe9affbc7f79b14defcaff8Patch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/32019c659ecfe1d92e3bf9fcdfbb11a7c70acd58Patch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/57f78c46f08198e1be08ffe99c4c1ccc12855bf5Patch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/6e4694e65b6db4c3de125115dd4f55848cc48381Patch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/e8a67fe34b76a49320b33032228a794f40b0316bPatch
af854a3a-2127-422b-91ae-364da2661108https://git.kernel.org/stable/c/f175de546a3eb77614d94d4c02550181c0a8493ePatch
af854a3a-2127-422b-91ae-364da2661108https://lists.debian.org/debian-lts-announce/2024/06/msg00017.htmlThird Party Advisory
0b142b55-0307-4c5a-b3c9-f314f3fb7c5ehttps://cert-portal.siemens.com/productcert/html/ssa-265688.html
Impacted products
Vendor Product Version
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel 6.8
linux linux_kernel 6.8
linux linux_kernel 6.8
linux linux_kernel 6.8
linux linux_kernel 6.8
debian debian_linux 10.0
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "5CF6C589-38AC-4C84-BCF3-C55CB73D3EB7",
              "versionEndExcluding": "5.10.214",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "ACB69438-845D-4E3C-B114-3140611F9C0B",
              "versionEndExcluding": "5.15.153",
              "versionStartIncluding": "5.11",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "121A07F6-F505-4C47-86BF-9BB6CC7B6C19",
              "versionEndExcluding": "6.1.83",
              "versionStartIncluding": "5.16",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "E00814DC-0BA7-431A-9926-80FEB4A96C68",
              "versionEndExcluding": "6.6.23",
              "versionStartIncluding": "6.2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "9B95D3A6-E162-47D5-ABFC-F3FA74FA7CFD",
              "versionEndExcluding": "6.7.11",
              "versionStartIncluding": "6.7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.8:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "B9F4EA73-0894-400F-A490-3A397AB7A517",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.8:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "056BD938-0A27-4569-B391-30578B309EE3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.8:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "F02056A5-B362-4370-9FF8-6F0BD384D520",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.8:rc4:*:*:*:*:*:*",
              "matchCriteriaId": "62075ACE-B2A0-4B16-829D-B3DA5AE5CC41",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.8:rc5:*:*:*:*:*:*",
              "matchCriteriaId": "A780F817-2A77-4130-A9B7-5C25606314E3",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/mm: Disallow vsyscall page read for copy_from_kernel_nofault()\n\nWhen trying to use copy_from_kernel_nofault() to read vsyscall page\nthrough a bpf program, the following oops was reported:\n\n  BUG: unable to handle page fault for address: ffffffffff600000\n  #PF: supervisor read access in kernel mode\n  #PF: error_code(0x0000) - not-present page\n  PGD 3231067 P4D 3231067 PUD 3233067 PMD 3235067 PTE 0\n  Oops: 0000 [#1] PREEMPT SMP PTI\n  CPU: 1 PID: 20390 Comm: test_progs ...... 6.7.0+ #58\n  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) ......\n  RIP: 0010:copy_from_kernel_nofault+0x6f/0x110\n  ......\n  Call Trace:\n   \u003cTASK\u003e\n   ? copy_from_kernel_nofault+0x6f/0x110\n   bpf_probe_read_kernel+0x1d/0x50\n   bpf_prog_2061065e56845f08_do_probe_read+0x51/0x8d\n   trace_call_bpf+0xc5/0x1c0\n   perf_call_bpf_enter.isra.0+0x69/0xb0\n   perf_syscall_enter+0x13e/0x200\n   syscall_trace_enter+0x188/0x1c0\n   do_syscall_64+0xb5/0xe0\n   entry_SYSCALL_64_after_hwframe+0x6e/0x76\n   \u003c/TASK\u003e\n  ......\n  ---[ end trace 0000000000000000 ]---\n\nThe oops is triggered when:\n\n1) A bpf program uses bpf_probe_read_kernel() to read from the vsyscall\npage and invokes copy_from_kernel_nofault() which in turn calls\n__get_user_asm().\n\n2) Because the vsyscall page address is not readable from kernel space,\na page fault exception is triggered accordingly.\n\n3) handle_page_fault() considers the vsyscall page address as a user\nspace address instead of a kernel space address. This results in the\nfix-up setup by bpf not being applied and a page_fault_oops() is invoked\ndue to SMAP.\n\nConsidering handle_page_fault() has already considered the vsyscall page\naddress as a userspace address, fix the problem by disallowing vsyscall\npage read for copy_from_kernel_nofault()."
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: x86/mm: no permitir la lectura de la p\u00e1gina vsyscall para copy_from_kernel_nofault() Al intentar usar copy_from_kernel_nofault() para leer la p\u00e1gina vsyscall a trav\u00e9s de un programa bpf, se inform\u00f3 lo siguiente: ERROR: no se puede manejar el error de p\u00e1gina para la direcci\u00f3n: ffffffffff600000 #PF: acceso de lectura del supervisor en modo kernel #PF: error_code(0x0000) - p\u00e1gina no presente PGD 3231067 P4D 3231067 PUD 3233067 PMD 3235067 PTE 0 Ups: 0000 [#1] PREEMPT SMP PTI CPU: 1 PID: 20390 Comm: test_progs ...... 6.7.0+ #58 Nombre de hardware: PC est\u00e1ndar QEMU (i440FX + PIIX, 1996) ...... RIP: 0010:copy_from_kernel_nofault+0x6f/0x110... ... Seguimiento de llamadas: ? copy_from_kernel_nofault+0x6f/0x110 bpf_probe_read_kernel+0x1d/0x50 bpf_prog_2061065e56845f08_do_probe_read+0x51/0x8d trace_call_bpf+0xc5/0x1c0 perf_call_bpf_enter.isra.0+0x69/0xb 0 perf_syscall_enter+0x13e/0x200 syscall_trace_enter+0x188/0x1c0 do_syscall_64+0xb5/0xe0 Entry_SYSCALL_64_after_hwframe+0x6e/0x76 \u0026lt; /TASK\u0026gt; ...... ---[ end trace 0000000000000000 ]--- Ups se activa cuando: 1) Un programa bpf usa bpf_probe_read_kernel() para leer desde la p\u00e1gina vsyscall e invoca copy_from_kernel_nofault() que a su vez llama __get_user_asm(). 2) Debido a que la direcci\u00f3n de la p\u00e1gina vsyscall no se puede leer desde el espacio del kernel, se activa una excepci\u00f3n de error de p\u00e1gina en consecuencia. 3) handle_page_fault() considera la direcci\u00f3n de la p\u00e1gina vsyscall como una direcci\u00f3n de espacio de usuario en lugar de una direcci\u00f3n de espacio de kernel. Esto da como resultado que no se aplique la configuraci\u00f3n de reparaci\u00f3n mediante bpf y se invoque page_fault_oops() debido a SMAP. Teniendo en cuenta que handle_page_fault() ya ha considerado la direcci\u00f3n de la p\u00e1gina vsyscall como una direcci\u00f3n de espacio de usuario, solucione el problema no permitiendo la lectura de la p\u00e1gina vsyscall para copy_from_kernel_nofault()."
    }
  ],
  "id": "CVE-2024-26906",
  "lastModified": "2026-05-12T12:16:25.830",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 5.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-04-17T11:15:11.207",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/29bd6f86904682adafe9affbc7f79b14defcaff8"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/32019c659ecfe1d92e3bf9fcdfbb11a7c70acd58"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/57f78c46f08198e1be08ffe99c4c1ccc12855bf5"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/6e4694e65b6db4c3de125115dd4f55848cc48381"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/e8a67fe34b76a49320b33032228a794f40b0316b"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/f175de546a3eb77614d94d4c02550181c0a8493e"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/29bd6f86904682adafe9affbc7f79b14defcaff8"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/32019c659ecfe1d92e3bf9fcdfbb11a7c70acd58"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/57f78c46f08198e1be08ffe99c4c1ccc12855bf5"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/6e4694e65b6db4c3de125115dd4f55848cc48381"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/e8a67fe34b76a49320b33032228a794f40b0316b"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/f175de546a3eb77614d94d4c02550181c0a8493e"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"
    },
    {
      "source": "0b142b55-0307-4c5a-b3c9-f314f3fb7c5e",
      "url": "https://cert-portal.siemens.com/productcert/html/ssa-265688.html"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-noinfo"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.