DEBIAN-CVE-2024-26746
- Source
- https://security-tracker.debian.org/tracker/CVE-2024-26746
- Import Source
- https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2024-26746.json
- JSON Data
- https://api.osv.dev/v1/vulns/DEBIAN-CVE-2024-26746
- Upstream
- Published
- 2024-04-04T09:15:07.783Z
- Modified
- 2025-11-19T02:04:38.757088Z
- Severity
-
- 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- [none]
- Details
-
In the Linux kernel, the following vulnerability has been resolved: dmaengine: idxd: Ensure safe user copy of completion record If CONFIGHARDENEDUSERCOPY is enabled, copying completion record from event log cache to user triggers a kernel bug. [ 1987.159822] usercopy: Kernel memory exposure attempt detected from SLUB object 'dsa0' (offset 74, size 31)! [ 1987.170845] ------------[ cut here ]------------ [ 1987.176086] kernel BUG at mm/usercopy.c:102! [ 1987.180946] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI [ 1987.186866] CPU: 17 PID: 528 Comm: kworker/17:1 Not tainted 6.8.0-rc2+ #5 [ 1987.194537] Hardware name: Intel Corporation AvenueCity/AvenueCity, BIOS BHSDCRB1.86B.2492.D03.2307181620 07/18/2023 [ 1987.206405] Workqueue: wq0.0 idxdevlfaultwork [idxd] [ 1987.212338] RIP: 0010:usercopyabort+0x72/0x90 [ 1987.217381] Code: 58 65 9c 50 48 c7 c2 17 85 61 9c 57 48 c7 c7 98 fd 6b 9c 48 0f 44 d6 48 c7 c6 b3 08 62 9c 4c 89 d1 49 0f 44 f3 e8 1e 2e d5 ff <0f> 0b 49 c7 c1 9e 42 61 9c 4c 89 cf 4d 89 c8 eb a9 66 66 2e 0f 1f [ 1987.238505] RSP: 0018:ff62f5cf20607d60 EFLAGS: 00010246 [ 1987.244423] RAX: 000000000000005f RBX: 000000000000001f RCX: 0000000000000000 [ 1987.252480] RDX: 0000000000000000 RSI: ffffffff9c61429e RDI: 00000000ffffffff [ 1987.260538] RBP: ff62f5cf20607d78 R08: ff2a6a89ef3fffe8 R09: 00000000fffeffff [ 1987.268595] R10: ff2a6a89eed00000 R11: 0000000000000003 R12: ff2a66934849c89a [ 1987.276652] R13: 0000000000000001 R14: ff2a66934849c8b9 R15: ff2a66934849c899 [ 1987.284710] FS: 0000000000000000(0000) GS:ff2a66b22fe40000(0000) knlGS:0000000000000000 [ 1987.293850] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 1987.300355] CR2: 00007fe291a37000 CR3: 000000010fbd4005 CR4: 0000000000f71ef0 [ 1987.308413] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 1987.316470] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400 [ 1987.324527] PKRU: 55555554 [ 1987.327622] Call Trace: [ 1987.330424] <TASK> [ 1987.332826] ? showregs+0x6e/0x80 [ 1987.336703] ? die+0x3c/0xa0 [ 1987.339988] ? dotrap+0xd4/0xf0 [ 1987.343662] ? doerrortrap+0x75/0xa0 [ 1987.347922] ? usercopyabort+0x72/0x90 [ 1987.352277] ? excinvalidop+0x57/0x80 [ 1987.356634] ? usercopyabort+0x72/0x90 [ 1987.360988] ? asmexcinvalidop+0x1f/0x30 [ 1987.365734] ? usercopyabort+0x72/0x90 [ 1987.370088] __checkheapobject+0xb7/0xd0 [ 1987.374739] __checkobjectsize+0x175/0x2d0 [ 1987.379588] idxdcopycr+0xa9/0x130 [idxd] [ 1987.384341] idxdevlfaultwork+0x127/0x390 [idxd] [ 1987.389878] processone_work+0x13e/0x300 [ 1987.394435] ? __pfxworkerthread+0x10/0x10 [ 1987.399284] workerthread+0x2f7/0x420 [ 1987.403544] ? rawspinunlock_irqrestore+0x2b/0x50 [ 1987.409171] ? __pfxworkerthread+0x10/0x10 [ 1987.414019] kthread+0x107/0x140 [ 1987.417693] ? __pfxkthread+0x10/0x10 [ 1987.421954] retfrom_fork+0x3d/0x60 [ 1987.426019] ? _pfxkthread+0x10/0x10 [ 1987.430281] retfromforkasm+0x1b/0x30 [ 1987.434744] </TASK> The issue arises because event log cache is created using kmemcachecreate() which is not suitable for user copy. Fix the issue by creating event log cache with kmemcachecreateusercopy(), ensuring safe user copy.
- References
Affected packages
Debian:13 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Debian:14 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source