CVE-2024-26746

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-26746
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-26746.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-26746
Downstream
Published
2024-04-04T08:20:13Z
Modified
2025-10-21T18:17:05.619565Z
Summary
dmaengine: idxd: Ensure safe user copy of completion record
Details

In the Linux kernel, the following vulnerability has been resolved:

dmaengine: idxd: Ensure safe user copy of completion record

If CONFIGHARDENEDUSERCOPY is enabled, copying completion record from event log cache to user triggers a kernel bug.

[ 1987.159822] usercopy: Kernel memory exposure attempt detected from SLUB object 'dsa0' (offset 74, size 31)! [ 1987.170845] ------------[ cut here ]------------ [ 1987.176086] kernel BUG at mm/usercopy.c:102! [ 1987.180946] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI [ 1987.186866] CPU: 17 PID: 528 Comm: kworker/17:1 Not tainted 6.8.0-rc2+ #5 [ 1987.194537] Hardware name: Intel Corporation AvenueCity/AvenueCity, BIOS BHSDCRB1.86B.2492.D03.2307181620 07/18/2023 [ 1987.206405] Workqueue: wq0.0 idxdevlfaultwork [idxd] [ 1987.212338] RIP: 0010:usercopyabort+0x72/0x90 [ 1987.217381] Code: 58 65 9c 50 48 c7 c2 17 85 61 9c 57 48 c7 c7 98 fd 6b 9c 48 0f 44 d6 48 c7 c6 b3 08 62 9c 4c 89 d1 49 0f 44 f3 e8 1e 2e d5 ff <0f> 0b 49 c7 c1 9e 42 61 9c 4c 89 cf 4d 89 c8 eb a9 66 66 2e 0f 1f [ 1987.238505] RSP: 0018:ff62f5cf20607d60 EFLAGS: 00010246 [ 1987.244423] RAX: 000000000000005f RBX: 000000000000001f RCX: 0000000000000000 [ 1987.252480] RDX: 0000000000000000 RSI: ffffffff9c61429e RDI: 00000000ffffffff [ 1987.260538] RBP: ff62f5cf20607d78 R08: ff2a6a89ef3fffe8 R09: 00000000fffeffff [ 1987.268595] R10: ff2a6a89eed00000 R11: 0000000000000003 R12: ff2a66934849c89a [ 1987.276652] R13: 0000000000000001 R14: ff2a66934849c8b9 R15: ff2a66934849c899 [ 1987.284710] FS: 0000000000000000(0000) GS:ff2a66b22fe40000(0000) knlGS:0000000000000000 [ 1987.293850] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 1987.300355] CR2: 00007fe291a37000 CR3: 000000010fbd4005 CR4: 0000000000f71ef0 [ 1987.308413] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 1987.316470] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 [ 1987.324527] PKRU: 55555554 [ 1987.327622] Call Trace: [ 1987.330424] <TASK> [ 1987.332826] ? showregs+0x6e/0x80 [ 1987.336703] ? die+0x3c/0xa0 [ 1987.339988] ? dotrap+0xd4/0xf0 [ 1987.343662] ? doerrortrap+0x75/0xa0 [ 1987.347922] ? usercopyabort+0x72/0x90 [ 1987.352277] ? excinvalidop+0x57/0x80 [ 1987.356634] ? usercopyabort+0x72/0x90 [ 1987.360988] ? asmexcinvalidop+0x1f/0x30 [ 1987.365734] ? usercopyabort+0x72/0x90 [ 1987.370088] _checkheapobject+0xb7/0xd0 [ 1987.374739] _checkobjectsize+0x175/0x2d0 [ 1987.379588] idxdcopycr+0xa9/0x130 [idxd] [ 1987.384341] idxdevlfaultwork+0x127/0x390 [idxd] [ 1987.389878] processonework+0x13e/0x300 [ 1987.394435] ? _pfxworkerthread+0x10/0x10 [ 1987.399284] workerthread+0x2f7/0x420 [ 1987.403544] ? _rawspinunlockirqrestore+0x2b/0x50 [ 1987.409171] ? _pfxworkerthread+0x10/0x10 [ 1987.414019] kthread+0x107/0x140 [ 1987.417693] ? _pfxkthread+0x10/0x10 [ 1987.421954] retfromfork+0x3d/0x60 [ 1987.426019] ? _pfxkthread+0x10/0x10 [ 1987.430281] retfromforkasm+0x1b/0x30 [ 1987.434744] </TASK>

The issue arises because event log cache is created using kmemcachecreate() which is not suitable for user copy.

Fix the issue by creating event log cache with kmemcachecreate_usercopy(), ensuring safe user copy.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
c2f156bf168fb42cd6ecd0a8e2204dbe542b8516
Fixed
5e3022ea42e490a36ec6f2cfa6fc603deb0bace4
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
c2f156bf168fb42cd6ecd0a8e2204dbe542b8516
Fixed
bb71e040323175e18c233a9afef32ba14fa64eb7
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
c2f156bf168fb42cd6ecd0a8e2204dbe542b8516
Fixed
d3ea125df37dc37972d581b74a5d3785c3f283ab

Affected versions

v6.*

v6.3
v6.3-rc2
v6.3-rc3
v6.3-rc4
v6.3-rc5
v6.3-rc6
v6.3-rc7
v6.4
v6.4-rc1
v6.4-rc2
v6.4-rc3
v6.4-rc4
v6.4-rc5
v6.4-rc6
v6.4-rc7
v6.5
v6.5-rc1
v6.5-rc2
v6.5-rc3
v6.5-rc4
v6.5-rc5
v6.5-rc6
v6.5-rc7
v6.6
v6.6-rc1
v6.6-rc2
v6.6-rc3
v6.6-rc4
v6.6-rc5
v6.6-rc6
v6.6-rc7
v6.6.1
v6.6.10
v6.6.11
v6.6.12
v6.6.13
v6.6.14
v6.6.15
v6.6.16
v6.6.17
v6.6.18
v6.6.19
v6.6.2
v6.6.20
v6.6.3
v6.6.4
v6.6.5
v6.6.6
v6.6.7
v6.6.8
v6.6.9
v6.7
v6.7-rc1
v6.7-rc2
v6.7-rc3
v6.7-rc4
v6.7-rc5
v6.7-rc6
v6.7-rc7
v6.7-rc8
v6.7.1
v6.7.2
v6.7.3
v6.7.4
v6.7.5
v6.7.6
v6.7.7
v6.7.8
v6.8-rc1
v6.8-rc2
v6.8-rc3

Database specific

vanir_signatures

[
    {
        "signature_type": "Function",
        "digest": {
            "function_hash": "57322367627099980828634209050331564739",
            "length": 543.0
        },
        "target": {
            "file": "drivers/dma/idxd/init.c",
            "function": "idxd_init_evl"
        },
        "signature_version": "v1",
        "id": "CVE-2024-26746-5a964ad4",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d3ea125df37dc37972d581b74a5d3785c3f283ab"
    },
    {
        "signature_type": "Function",
        "digest": {
            "function_hash": "57322367627099980828634209050331564739",
            "length": 543.0
        },
        "target": {
            "file": "drivers/dma/idxd/init.c",
            "function": "idxd_init_evl"
        },
        "signature_version": "v1",
        "id": "CVE-2024-26746-92aac3b2",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5e3022ea42e490a36ec6f2cfa6fc603deb0bace4"
    },
    {
        "signature_type": "Line",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "45366986318708395973655548138483785185",
                "220803545593068855576977891417277434351",
                "83160022782379768693451037663986788741",
                "68615086940505189283707428092507588190",
                "179155774717882457022309769735435506088",
                "324977823170707645256724103872891335313",
                "169915248908986914956130940171710725641",
                "277425176908590821143091467621492842791",
                "106216304011562671914290631494337065856",
                "170816569559290302719326410053109575121",
                "41618999376758504840263379661427082643"
            ]
        },
        "target": {
            "file": "drivers/dma/idxd/init.c"
        },
        "signature_version": "v1",
        "id": "CVE-2024-26746-ba100208",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@5e3022ea42e490a36ec6f2cfa6fc603deb0bace4"
    },
    {
        "signature_type": "Line",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "45366986318708395973655548138483785185",
                "220803545593068855576977891417277434351",
                "83160022782379768693451037663986788741",
                "68615086940505189283707428092507588190",
                "179155774717882457022309769735435506088",
                "324977823170707645256724103872891335313",
                "169915248908986914956130940171710725641",
                "277425176908590821143091467621492842791",
                "106216304011562671914290631494337065856",
                "170816569559290302719326410053109575121",
                "41618999376758504840263379661427082643"
            ]
        },
        "target": {
            "file": "drivers/dma/idxd/init.c"
        },
        "signature_version": "v1",
        "id": "CVE-2024-26746-c3883636",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@d3ea125df37dc37972d581b74a5d3785c3f283ab"
    },
    {
        "signature_type": "Line",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "45366986318708395973655548138483785185",
                "220803545593068855576977891417277434351",
                "83160022782379768693451037663986788741",
                "68615086940505189283707428092507588190",
                "179155774717882457022309769735435506088",
                "324977823170707645256724103872891335313",
                "169915248908986914956130940171710725641",
                "277425176908590821143091467621492842791",
                "106216304011562671914290631494337065856",
                "170816569559290302719326410053109575121",
                "41618999376758504840263379661427082643"
            ]
        },
        "target": {
            "file": "drivers/dma/idxd/init.c"
        },
        "signature_version": "v1",
        "id": "CVE-2024-26746-eccf7c8f",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@bb71e040323175e18c233a9afef32ba14fa64eb7"
    },
    {
        "signature_type": "Function",
        "digest": {
            "function_hash": "57322367627099980828634209050331564739",
            "length": 543.0
        },
        "target": {
            "file": "drivers/dma/idxd/init.c",
            "function": "idxd_init_evl"
        },
        "signature_version": "v1",
        "id": "CVE-2024-26746-edc5c85a",
        "deprecated": false,
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@bb71e040323175e18c233a9afef32ba14fa64eb7"
    }
]

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.4.0
Fixed
6.6.21
Type
ECOSYSTEM
Events
Introduced
6.7.0
Fixed
6.7.9