{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-56678", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2024-12-27T15:00:39.845Z", "datePublished": "2024-12-28T09:46:07.256Z", "dateUpdated": "2025-05-04T10:02:04.112Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-05-04T10:02:04.112Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/mm/fault: Fix kfence page fault reporting\n\ncopy_from_kernel_nofault() can be called when doing read of /proc/kcore.\n/proc/kcore can have some unmapped kfence objects which when read via\ncopy_from_kernel_nofault() can cause page faults. Since *_nofault()\nfunctions define their own fixup table for handling fault, use that\ninstead of asking kfence to handle such faults.\n\nHence we search the exception tables for the nip which generated the\nfault. If there is an entry then we let the fixup table handler handle the\npage fault by returning an error from within ___do_page_fault().\n\nThis can be easily triggered if someone tries to do dd from /proc/kcore.\neg. dd if=/proc/kcore of=/dev/null bs=1M\n\nSome example false negatives:\n\n ===============================\n BUG: KFENCE: invalid read in copy_from_kernel_nofault+0x9c/0x1a0\n Invalid read at 0xc0000000fdff0000:\n copy_from_kernel_nofault+0x9c/0x1a0\n 0xc00000000665f950\n read_kcore_iter+0x57c/0xa04\n proc_reg_read_iter+0xe4/0x16c\n vfs_read+0x320/0x3ec\n ksys_read+0x90/0x154\n system_call_exception+0x120/0x310\n system_call_vectored_common+0x15c/0x2ec\n\n BUG: KFENCE: use-after-free read in copy_from_kernel_nofault+0x9c/0x1a0\n Use-after-free read at 0xc0000000fe050000 (in kfence-#2):\n copy_from_kernel_nofault+0x9c/0x1a0\n 0xc00000000665f950\n read_kcore_iter+0x57c/0xa04\n proc_reg_read_iter+0xe4/0x16c\n vfs_read+0x320/0x3ec\n ksys_read+0x90/0x154\n system_call_exception+0x120/0x310\n system_call_vectored_common+0x15c/0x2ec"}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["arch/powerpc/mm/fault.c"], "versions": [{"version": "90cbac0e995dd92f7bcf82f74aa50250bf194a4a", "lessThan": "e0a470b5733c1fe068d5c58b0bb91ad539604bc6", "status": "affected", "versionType": "git"}, {"version": "90cbac0e995dd92f7bcf82f74aa50250bf194a4a", "lessThan": "4d2655754e94741b159aa807b72ea85518a65fd5", "status": "affected", "versionType": "git"}, {"version": "90cbac0e995dd92f7bcf82f74aa50250bf194a4a", "lessThan": "9ea8d8bf9b625e8ad3be6b0432aecdc549914121", "status": "affected", "versionType": "git"}, {"version": "90cbac0e995dd92f7bcf82f74aa50250bf194a4a", "lessThan": "7eaeb7a49b6d16640f9f3c9074c05175d74c710b", "status": "affected", "versionType": "git"}, {"version": "90cbac0e995dd92f7bcf82f74aa50250bf194a4a", "lessThan": "15f78d2c3d1452645bd8b9da909b0ca266f83c43", "status": "affected", "versionType": "git"}, {"version": "90cbac0e995dd92f7bcf82f74aa50250bf194a4a", "lessThan": "06dbbb4d5f7126b6307ab807cbf04ecfc459b933", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["arch/powerpc/mm/fault.c"], "versions": [{"version": "5.13", "status": "affected"}, {"version": "0", "lessThan": "5.13", "status": "unaffected", "versionType": "semver"}, {"version": "5.15.174", "lessThanOrEqual": "5.15.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.120", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.64", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.11.11", "lessThanOrEqual": "6.11.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.2", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.13", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.13", "versionEndExcluding": "5.15.174"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.13", "versionEndExcluding": "6.1.120"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.13", "versionEndExcluding": "6.6.64"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.13", "versionEndExcluding": "6.11.11"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.13", "versionEndExcluding": "6.12.2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.13", "versionEndExcluding": "6.13"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/e0a470b5733c1fe068d5c58b0bb91ad539604bc6"}, {"url": "https://git.kernel.org/stable/c/4d2655754e94741b159aa807b72ea85518a65fd5"}, {"url": "https://git.kernel.org/stable/c/9ea8d8bf9b625e8ad3be6b0432aecdc549914121"}, {"url": "https://git.kernel.org/stable/c/7eaeb7a49b6d16640f9f3c9074c05175d74c710b"}, {"url": "https://git.kernel.org/stable/c/15f78d2c3d1452645bd8b9da909b0ca266f83c43"}, {"url": "https://git.kernel.org/stable/c/06dbbb4d5f7126b6307ab807cbf04ecfc459b933"}], "title": "powerpc/mm/fault: Fix kfence page fault reporting", "x_generator": {"engine": "bippy-1.2.0"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-56678", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-02-11T15:41:28.722483Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-416", "description": "CWE-416 Use After Free"}]}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-11T15:45:21.070Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2024-56678", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-02-11T15:41:28.722483Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-416", "description": "CWE-416 Use After Free"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-11T15:41:30.421Z"}}], "cna": {"title": "powerpc/mm/fault: Fix kfence page fault reporting", "affected": [{"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "90cbac0e995dd92f7bcf82f74aa50250bf194a4a", "lessThan": "e0a470b5733c1fe068d5c58b0bb91ad539604bc6", "versionType": "git"}, {"status": "affected", "version": "90cbac0e995dd92f7bcf82f74aa50250bf194a4a", "lessThan": "4d2655754e94741b159aa807b72ea85518a65fd5", "versionType": "git"}, {"status": "affected", "version": "90cbac0e995dd92f7bcf82f74aa50250bf194a4a", "lessThan": "9ea8d8bf9b625e8ad3be6b0432aecdc549914121", "versionType": "git"}, {"status": "affected", "version": "90cbac0e995dd92f7bcf82f74aa50250bf194a4a", "lessThan": "7eaeb7a49b6d16640f9f3c9074c05175d74c710b", "versionType": "git"}, {"status": "affected", "version": "90cbac0e995dd92f7bcf82f74aa50250bf194a4a", "lessThan": "15f78d2c3d1452645bd8b9da909b0ca266f83c43", "versionType": "git"}, {"status": "affected", "version": "90cbac0e995dd92f7bcf82f74aa50250bf194a4a", "lessThan": "06dbbb4d5f7126b6307ab807cbf04ecfc459b933", "versionType": "git"}], "programFiles": ["arch/powerpc/mm/fault.c"], "defaultStatus": "unaffected"}, {"repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "vendor": "Linux", "product": "Linux", "versions": [{"status": "affected", "version": "5.13"}, {"status": "unaffected", "version": "0", "lessThan": "5.13", "versionType": "semver"}, {"status": "unaffected", "version": "5.15.174", "versionType": "semver", "lessThanOrEqual": "5.15.*"}, {"status": "unaffected", "version": "6.1.120", "versionType": "semver", "lessThanOrEqual": "6.1.*"}, {"status": "unaffected", "version": "6.6.64", "versionType": "semver", "lessThanOrEqual": "6.6.*"}, {"status": "unaffected", "version": "6.11.11", "versionType": "semver", "lessThanOrEqual": "6.11.*"}, {"status": "unaffected", "version": "6.12.2", "versionType": "semver", "lessThanOrEqual": "6.12.*"}, {"status": "unaffected", "version": "6.13", "versionType": "original_commit_for_fix", "lessThanOrEqual": "*"}], "programFiles": ["arch/powerpc/mm/fault.c"], "defaultStatus": "affected"}], "references": [{"url": "https://git.kernel.org/stable/c/e0a470b5733c1fe068d5c58b0bb91ad539604bc6"}, {"url": "https://git.kernel.org/stable/c/4d2655754e94741b159aa807b72ea85518a65fd5"}, {"url": "https://git.kernel.org/stable/c/9ea8d8bf9b625e8ad3be6b0432aecdc549914121"}, {"url": "https://git.kernel.org/stable/c/7eaeb7a49b6d16640f9f3c9074c05175d74c710b"}, {"url": "https://git.kernel.org/stable/c/15f78d2c3d1452645bd8b9da909b0ca266f83c43"}, {"url": "https://git.kernel.org/stable/c/06dbbb4d5f7126b6307ab807cbf04ecfc459b933"}], "x_generator": {"engine": "bippy-5f407fcff5a0"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/mm/fault: Fix kfence page fault reporting\n\ncopy_from_kernel_nofault() can be called when doing read of /proc/kcore.\n/proc/kcore can have some unmapped kfence objects which when read via\ncopy_from_kernel_nofault() can cause page faults. Since *_nofault()\nfunctions define their own fixup table for handling fault, use that\ninstead of asking kfence to handle such faults.\n\nHence we search the exception tables for the nip which generated the\nfault. If there is an entry then we let the fixup table handler handle the\npage fault by returning an error from within ___do_page_fault().\n\nThis can be easily triggered if someone tries to do dd from /proc/kcore.\neg. dd if=/proc/kcore of=/dev/null bs=1M\n\nSome example false negatives:\n\n ===============================\n BUG: KFENCE: invalid read in copy_from_kernel_nofault+0x9c/0x1a0\n Invalid read at 0xc0000000fdff0000:\n copy_from_kernel_nofault+0x9c/0x1a0\n 0xc00000000665f950\n read_kcore_iter+0x57c/0xa04\n proc_reg_read_iter+0xe4/0x16c\n vfs_read+0x320/0x3ec\n ksys_read+0x90/0x154\n system_call_exception+0x120/0x310\n system_call_vectored_common+0x15c/0x2ec\n\n BUG: KFENCE: use-after-free read in copy_from_kernel_nofault+0x9c/0x1a0\n Use-after-free read at 0xc0000000fe050000 (in kfence-#2):\n copy_from_kernel_nofault+0x9c/0x1a0\n 0xc00000000665f950\n read_kcore_iter+0x57c/0xa04\n proc_reg_read_iter+0xe4/0x16c\n vfs_read+0x320/0x3ec\n ksys_read+0x90/0x154\n system_call_exception+0x120/0x310\n system_call_vectored_common+0x15c/0x2ec"}], "providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2025-01-20T06:25:46.335Z"}}}, "cveMetadata": {"cveId": "CVE-2024-56678", "state": "PUBLISHED", "dateUpdated": "2025-02-11T15:45:21.070Z", "dateReserved": "2024-12-27T15:00:39.845Z", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "datePublished": "2024-12-28T09:46:07.256Z", "assignerShortName": "Linux"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "98AAB746-8653-4FD8-9B39-61F09957759F", "versionEndExcluding": "5.15.174", "versionStartIncluding": "5.13", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "09AC6122-E2A4-40FE-9D33-268A1B2EC265", "versionEndExcluding": "6.1.120", "versionStartIncluding": "5.16", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "CA16DEE3-ABEC-4449-9F4A-7A3DC4FC36C7", "versionEndExcluding": "6.6.64", "versionStartIncluding": "6.2", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "21434379-192D-472F-9B54-D45E3650E893", "versionEndExcluding": "6.11.11", "versionStartIncluding": "6.7", "vulnerable": true}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "matchCriteriaId": "D8882B1B-2ABC-4838-AC1D-DBDBB5764776", "versionEndExcluding": "6.12.2", "versionStartIncluding": "6.12", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/mm/fault: Fix kfence page fault reporting\n\ncopy_from_kernel_nofault() can be called when doing read of /proc/kcore.\n/proc/kcore can have some unmapped kfence objects which when read via\ncopy_from_kernel_nofault() can cause page faults. Since *_nofault()\nfunctions define their own fixup table for handling fault, use that\ninstead of asking kfence to handle such faults.\n\nHence we search the exception tables for the nip which generated the\nfault. If there is an entry then we let the fixup table handler handle the\npage fault by returning an error from within ___do_page_fault().\n\nThis can be easily triggered if someone tries to do dd from /proc/kcore.\neg. dd if=/proc/kcore of=/dev/null bs=1M\n\nSome example false negatives:\n\n ===============================\n BUG: KFENCE: invalid read in copy_from_kernel_nofault+0x9c/0x1a0\n Invalid read at 0xc0000000fdff0000:\n copy_from_kernel_nofault+0x9c/0x1a0\n 0xc00000000665f950\n read_kcore_iter+0x57c/0xa04\n proc_reg_read_iter+0xe4/0x16c\n vfs_read+0x320/0x3ec\n ksys_read+0x90/0x154\n system_call_exception+0x120/0x310\n system_call_vectored_common+0x15c/0x2ec\n\n BUG: KFENCE: use-after-free read in copy_from_kernel_nofault+0x9c/0x1a0\n Use-after-free read at 0xc0000000fe050000 (in kfence-#2):\n copy_from_kernel_nofault+0x9c/0x1a0\n 0xc00000000665f950\n read_kcore_iter+0x57c/0xa04\n proc_reg_read_iter+0xe4/0x16c\n vfs_read+0x320/0x3ec\n ksys_read+0x90/0x154\n system_call_exception+0x120/0x310\n system_call_vectored_common+0x15c/0x2ec"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: powerpc/mm/fault: Arreglar el informe de fallos de p\u00e1gina de kfence. Se puede llamar a copy_from_kernel_nofault() al realizar una lectura de /proc/kcore. /proc/kcore puede tener algunos objetos kfence no mapeados que, cuando se leen mediante copy_from_kernel_nofault(), pueden causar fallos de p\u00e1gina. Dado que las funciones *_nofault() definen su propia tabla de correcciones para gestionar los fallos, util\u00edcela en lugar de pedirle a kfence que se encargue de dichos fallos. Por lo tanto, buscamos en las tablas de excepciones el nip que gener\u00f3 el fallo. Si hay una entrada, dejamos que el controlador de la tabla de correcciones se encargue del fallo de p\u00e1gina devolviendo un error desde dentro de ___do_page_fault(). Esto se puede activar f\u00e1cilmente si alguien intenta hacer dd desde /proc/kcore. p. ej. dd if=/proc/kcore of=/dev/null bs=1M Algunos ejemplos de falsos negativos: ================================ ERROR: KFENCE: lectura no v\u00e1lida en copy_from_kernel_nofault+0x9c/0x1a0 Lectura no v\u00e1lida en 0xc0000000fdff0000: copy_from_kernel_nofault+0x9c/0x1a0 0xc00000000665f950 read_kcore_iter+0x57c/0xa04 proc_reg_read_iter+0xe4/0x16c vfs_read+0x320/0x3ec ksys_read+0x90/0x154 system_call_exception+0x120/0x310 ERROR: KFENCE: lectura de use-after-free en copy_from_kernel_nofault+0x9c/0x1a0 Lectura de use-after-free en 0xc0000000fe050000 (en kfence-#2): copy_from_kernel_nofault+0x9c/0x1a0 0xc00000000665f950 read_kcore_iter+0x57c/0xa04 proc_reg_read_iter+0xe4/0x16c vfs_read+0x320/0x3ec ksys_read+0x90/0x154 system_call_exception+0x120/0x310 system_call_vectored_common+0x15c/0x2ec"}], "id": "CVE-2024-56678", "lastModified": "2025-03-24T17:32:09.777", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2024-12-28T10:15:08.797", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/06dbbb4d5f7126b6307ab807cbf04ecfc459b933"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/15f78d2c3d1452645bd8b9da909b0ca266f83c43"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/4d2655754e94741b159aa807b72ea85518a65fd5"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/7eaeb7a49b6d16640f9f3c9074c05175d74c710b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/9ea8d8bf9b625e8ad3be6b0432aecdc549914121"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": ["Patch"], "url": "https://git.kernel.org/stable/c/e0a470b5733c1fe068d5c58b0bb91ad539604bc6"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-416"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "kernel: powerpc/mm/fault: Fix kfence page fault reporting", "id": "2334692", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2334692"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.7", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "details": ["In the Linux kernel, the following vulnerability has been resolved:\npowerpc/mm/fault: Fix kfence page fault reporting\ncopy_from_kernel_nofault() can be called when doing read of /proc/kcore.\n/proc/kcore can have some unmapped kfence objects which when read via\ncopy_from_kernel_nofault() can cause page faults. Since *_nofault()\nfunctions define their own fixup table for handling fault, use that\ninstead of asking kfence to handle such faults.\nHence we search the exception tables for the nip which generated the\nfault. If there is an entry then we let the fixup table handler handle the\npage fault by returning an error from within ___do_page_fault().\nThis can be easily triggered if someone tries to do dd from /proc/kcore.\neg. dd if=/proc/kcore of=/dev/null bs=1M\nSome example false negatives:\n===============================\nBUG: KFENCE: invalid read in copy_from_kernel_nofault+0x9c/0x1a0\nInvalid read at 0xc0000000fdff0000:\ncopy_from_kernel_nofault+0x9c/0x1a0\n0xc00000000665f950\nread_kcore_iter+0x57c/0xa04\nproc_reg_read_iter+0xe4/0x16c\nvfs_read+0x320/0x3ec\nksys_read+0x90/0x154\nsystem_call_exception+0x120/0x310\nsystem_call_vectored_common+0x15c/0x2ec\nBUG: KFENCE: use-after-free read in copy_from_kernel_nofault+0x9c/0x1a0\nUse-after-free read at 0xc0000000fe050000 (in kfence-#2):\ncopy_from_kernel_nofault+0x9c/0x1a0\n0xc00000000665f950\nread_kcore_iter+0x57c/0xa04\nproc_reg_read_iter+0xe4/0x16c\nvfs_read+0x320/0x3ec\nksys_read+0x90/0x154\nsystem_call_exception+0x120/0x310\nsystem_call_vectored_common+0x15c/0x2ec", "A flaw was found in the PowerPC architecture's memory fault handling in the Linux kernel. When reading from /proc/kcore, the kernel may incorrectly attempt to handle faults on KFENCE-allocated memory regions using the KFENCE mechanism instead of the appropriate fixup table. This misbehavior can lead to false-positive reports of memory errors, including invalid reads and use-after-free conditions. A local attacker could exploit this by triggering reads on unmapped or freed KFENCE objects, potentially causing a denial of service or confusing kernel debugging tools."], "name": "CVE-2024-56678", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Will not fix", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Will not fix", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2024-12-28T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-56678\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-56678\nhttps://lore.kernel.org/linux-cve-announce/2024122832-CVE-2024-56678-977d@gregkh/T"], "statement": "Only privileged local user can trigger this bug, so the security impact is limited.", "threat_severity": "Moderate"}

{}