CVE-2024-56678

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> powerpc/mm/fault: Fix kfence page fault reporting<br /> <br /> copy_from_kernel_nofault() can be called when doing read of /proc/kcore.<br /> /proc/kcore can have some unmapped kfence objects which when read via<br /> copy_from_kernel_nofault() can cause page faults. Since *_nofault()<br /> functions define their own fixup table for handling fault, use that<br /> instead of asking kfence to handle such faults.<br /> <br /> Hence we search the exception tables for the nip which generated the<br /> fault. If there is an entry then we let the fixup table handler handle the<br /> page fault by returning an error from within ___do_page_fault().<br /> <br /> This can be easily triggered if someone tries to do dd from /proc/kcore.<br /> eg. dd if=/proc/kcore of=/dev/null bs=1M<br /> <br /> Some example false negatives:<br /> <br /> ===============================<br /> BUG: KFENCE: invalid read in copy_from_kernel_nofault+0x9c/0x1a0<br /> Invalid read at 0xc0000000fdff0000:<br /> copy_from_kernel_nofault+0x9c/0x1a0<br /> 0xc00000000665f950<br /> read_kcore_iter+0x57c/0xa04<br /> proc_reg_read_iter+0xe4/0x16c<br /> vfs_read+0x320/0x3ec<br /> ksys_read+0x90/0x154<br /> system_call_exception+0x120/0x310<br /> system_call_vectored_common+0x15c/0x2ec<br /> <br /> BUG: KFENCE: use-after-free read in copy_from_kernel_nofault+0x9c/0x1a0<br /> Use-after-free read at 0xc0000000fe050000 (in kfence-#2):<br /> copy_from_kernel_nofault+0x9c/0x1a0<br /> 0xc00000000665f950<br /> read_kcore_iter+0x57c/0xa04<br /> proc_reg_read_iter+0xe4/0x16c<br /> vfs_read+0x320/0x3ec<br /> ksys_read+0x90/0x154<br /> system_call_exception+0x120/0x310<br /> system_call_vectored_common+0x15c/0x2ec