CVE-2024-26706
N/A
Summary
In the Linux kernel, the following vulnerability has been resolved:
parisc: Fix random data corruption from exception handler
The current exception handler implementation, which assists when accessing user space memory, may exhibit random data corruption if the compiler decides to use a different register than the specified register %r29 (defined in ASM_EXCEPTIONTABLE_REG) for the error code. If the compiler choose another register, the fault handler will nevertheless store -EFAULT into %r29 and thus trash whatever this register is used for. Looking at the assembly I found that this happens sometimes in emulate_ldd().
To solve the issue, the easiest solution would be if it somehow is possible to tell the fault handler which register is used to hold the error code. Using %0 or %1 in the inline assembly is not posssible as it will show up as e.g. %r29 (with the "%r" prefix), which the GNU assembler can not convert to an integer.
This patch takes another, better and more flexible approach: We extend the __ex_table (which is out of the execution path) by one 32-word. In this word we tell the compiler to insert the assembler instruction "or %r0,%r0,%reg", where %reg references the register which the compiler choosed for the error return code. In case of an access failure, the fault handler finds the __ex_table entry and can examine the opcode. The used register is encoded in the lowest 5 bits, and the fault handler can then store -EFAULT into this register.
Since we extend the __ex_table to 3 words we can't use the BUILDTIME_TABLE_SORT config option any longer.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Linux | Linux | d19f5e41b344a057bb2450024a807476f30978d2 < 23027309b099ffc4efca5477009a11dccbdae592 | affected |
| Linux | Linux | d19f5e41b344a057bb2450024a807476f30978d2 < fa69a8063f8b27f3c7434a0d4f464a76a62f24d2 | affected |
| Linux | Linux | d19f5e41b344a057bb2450024a807476f30978d2 < ce31d79aa1f13a2345791f84935281a2c194e003 | affected |
| Linux | Linux | d19f5e41b344a057bb2450024a807476f30978d2 < 8b1d72395635af45410b66cc4c4ab37a12c4a831 | affected |
| Linux | Linux | 09b931fcb87c8aad178475a7db1d4bfc939f7faa | affected |
| Linux | Linux | 37e6234297379e0db25e39c2ca99776fea70026c | affected |
| Linux | Linux | 4.9.21 < 4.10 | affected |
| Linux | Linux | 4.10.9 < 4.11 | affected |
| Linux | Linux | 4.11 | affected |
| Linux | Linux | 0 < 4.11 | unaffected |
| Linux | Linux | 6.1.79 <= 6.1.* | unaffected |
| Linux | Linux | 6.6.18 <= 6.6.* | unaffected |
| Linux | Linux | 6.7.6 <= 6.7.* | unaffected |
| Linux | Linux | 6.8 <= * | unaffected |
Weaknesses
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
CVE Program Container
Additional References
- https://git.kernel.org/stable/c/23027309b099ffc4efca5477009a11dccbdae592
- https://git.kernel.org/stable/c/fa69a8063f8b27f3c7434a0d4f464a76a62f24d2
- https://git.kernel.org/stable/c/ce31d79aa1f13a2345791f84935281a2c194e003
- https://git.kernel.org/stable/c/8b1d72395635af45410b66cc4c4ab37a12c4a831
References
- https://git.kernel.org/stable/c/23027309b099ffc4efca5477009a11dccbdae592
- https://git.kernel.org/stable/c/fa69a8063f8b27f3c7434a0d4f464a76a62f24d2
- https://git.kernel.org/stable/c/ce31d79aa1f13a2345791f84935281a2c194e003
- https://git.kernel.org/stable/c/8b1d72395635af45410b66cc4c4ab37a12c4a831
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.