{"id":"CVE-2024-26674","summary":"x86/lib: Revert to _ASM_EXTABLE_UA() for {get,put}_user() fixups","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nx86/lib: Revert to _ASM_EXTABLE_UA() for {get,put}_user() fixups\n\nDuring memory error injection test on kernels \u003e= v6.4, the kernel panics\nlike below. However, this issue couldn't be reproduced on kernels \u003c= v6.3.\n\n  mce: [Hardware Error]: CPU 296: Machine Check Exception: f Bank 1: bd80000000100134\n  mce: [Hardware Error]: RIP 10:\u003cffffffff821b9776\u003e {__get_user_nocheck_4+0x6/0x20}\n  mce: [Hardware Error]: TSC 411a93533ed ADDR 346a8730040 MISC 86\n  mce: [Hardware Error]: PROCESSOR 0:a06d0 TIME 1706000767 SOCKET 1 APIC 211 microcode 80001490\n  mce: [Hardware Error]: Run the above through 'mcelog --ascii'\n  mce: [Hardware Error]: Machine check: Data load in unrecoverable area of kernel\n  Kernel panic - not syncing: Fatal local machine check\n\nThe MCA code can recover from an in-kernel #MC if the fixup type is\nEX_TYPE_UACCESS, explicitly indicating that the kernel is attempting to\naccess userspace memory. However, if the fixup type is EX_TYPE_DEFAULT\nthe only thing that is raised for an in-kernel #MC is a panic.\n\nex_handler_uaccess() would warn if users gave a non-canonical addresses\n(with bit 63 clear) to {get, put}_user(), which was unexpected.\n\nTherefore, commit\n\n  b19b74bc99b1 (\"x86/mm: Rework address range check in get_user() and put_user()\")\n\nreplaced _ASM_EXTABLE_UA() with _ASM_EXTABLE() for {get, put}_user()\nfixups. However, the new fixup type EX_TYPE_DEFAULT results in a panic.\n\nCommit\n\n  6014bc27561f (\"x86-64: make access_ok() independent of LAM\")\n\nadded the check gp_fault_address_ok() right before the WARN_ONCE() in\nex_handler_uaccess() to not warn about non-canonical user addresses due\nto LAM.\n\nWith that in place, revert back to _ASM_EXTABLE_UA() for {get,put}_user()\nexception fixups in order to be able to handle in-kernel MCEs correctly\nagain.\n\n  [ bp: Massage commit message. ]","modified":"2026-03-20T12:35:07.735857Z","published":"2024-04-02T07:01:39.114Z","related":["SUSE-SU-2024:2135-1","SUSE-SU-2024:2203-1","SUSE-SU-2024:2973-1","SUSE-SU-2025:20008-1","SUSE-SU-2025:20028-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/26xxx/CVE-2024-26674.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/2aed1b6c33afd8599d01c6532bbecb829480a674"},{"type":"WEB","url":"https://git.kernel.org/stable/c/2da241c5ed78d0978228a1150735539fe1a60eca"},{"type":"WEB","url":"https://git.kernel.org/stable/c/8eed4e00a370b37b4e5985ed983dccedd555ea9d"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/26xxx/CVE-2024-26674.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-26674"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"b19b74bc99b1501a550f4448d04d59b946dc617a"},{"fixed":"2aed1b6c33afd8599d01c6532bbecb829480a674"},{"fixed":"2da241c5ed78d0978228a1150735539fe1a60eca"},{"fixed":"8eed4e00a370b37b4e5985ed983dccedd555ea9d"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-26674.json"}}],"schema_version":"1.7.5"}