CVE-2024-26706

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> parisc: Fix random data corruption from exception handler<br /> <br /> The current exception handler implementation, which assists when accessing<br /> user space memory, may exhibit random data corruption if the compiler decides<br /> to use a different register than the specified register %r29 (defined in<br /> ASM_EXCEPTIONTABLE_REG) for the error code. If the compiler choose another<br /> register, the fault handler will nevertheless store -EFAULT into %r29 and thus<br /> trash whatever this register is used for.<br /> Looking at the assembly I found that this happens sometimes in emulate_ldd().<br /> <br /> To solve the issue, the easiest solution would be if it somehow is<br /> possible to tell the fault handler which register is used to hold the error<br /> code. Using %0 or %1 in the inline assembly is not posssible as it will show<br /> up as e.g. %r29 (with the "%r" prefix), which the GNU assembler can not<br /> convert to an integer.<br /> <br /> This patch takes another, better and more flexible approach:<br /> We extend the __ex_table (which is out of the execution path) by one 32-word.<br /> In this word we tell the compiler to insert the assembler instruction<br /> "or %r0,%r0,%reg", where %reg references the register which the compiler<br /> choosed for the error return code.<br /> In case of an access failure, the fault handler finds the __ex_table entry and<br /> can examine the opcode. The used register is encoded in the lowest 5 bits, and<br /> the fault handler can then store -EFAULT into this register.<br /> <br /> Since we extend the __ex_table to 3 words we can&amp;#39;t use the BUILDTIME_TABLE_SORT<br /> config option any longer.