In the Linux kernel, the following vulnerability has been resolved:
x86/lib: Revert to ASMEXTABLEUA() for {get,put}user() fixups
During memory error injection test on kernels >= v6.4, the kernel panics like below. However, this issue couldn't be reproduced on kernels <= v6.3.
mce: [Hardware Error]: CPU 296: Machine Check Exception: f Bank 1: bd80000000100134 mce: [Hardware Error]: RIP 10:<ffffffff821b9776> {_getusernocheck4+0x6/0x20} mce: [Hardware Error]: TSC 411a93533ed ADDR 346a8730040 MISC 86 mce: [Hardware Error]: PROCESSOR 0:a06d0 TIME 1706000767 SOCKET 1 APIC 211 microcode 80001490 mce: [Hardware Error]: Run the above through 'mcelog --ascii' mce: [Hardware Error]: Machine check: Data load in unrecoverable area of kernel Kernel panic - not syncing: Fatal local machine check
The MCA code can recover from an in-kernel #MC if the fixup type is EXTYPEUACCESS, explicitly indicating that the kernel is attempting to access userspace memory. However, if the fixup type is EXTYPEDEFAULT the only thing that is raised for an in-kernel #MC is a panic.
exhandleruaccess() would warn if users gave a non-canonical addresses (with bit 63 clear) to {get, put}_user(), which was unexpected.
Therefore, commit
b19b74bc99b1 ("x86/mm: Rework address range check in getuser() and putuser()")
replaced ASMEXTABLEUA() with _ASMEXTABLE() for {get, put}user() fixups. However, the new fixup type EXTYPE_DEFAULT results in a panic.
Commit
6014bc27561f ("x86-64: make access_ok() independent of LAM")
added the check gpfaultaddressok() right before the WARNONCE() in exhandleruaccess() to not warn about non-canonical user addresses due to LAM.
With that in place, revert back to ASMEXTABLEUA() for {get,put}user() exception fixups in order to be able to handle in-kernel MCEs correctly again.
[ bp: Massage commit message. ]