{
    "dataType": "CVE_RECORD",
    "dataVersion": "5.1",
    "cveMetadata": {
        "cveId": "CVE-2024-26746",
        "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "state": "PUBLISHED",
        "assignerShortName": "Linux",
        "dateReserved": "2024-02-19T14:20:24.168Z",
        "datePublished": "2024-04-04T08:20:13.846Z",
        "dateUpdated": "2024-08-02T00:14:13.241Z"
    },
    "containers": {
        "cna": {
            "providerMetadata": {
                "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
                "shortName": "Linux",
                "dateUpdated": "2024-05-29T05:21:58.976Z"
            },
            "descriptions": [
                {
                    "lang": "en",
                    "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndmaengine: idxd: Ensure safe user copy of completion record\n\nIf CONFIG_HARDENED_USERCOPY is enabled, copying completion record from\nevent log cache to user triggers a kernel bug.\n\n[ 1987.159822] usercopy: Kernel memory exposure attempt detected from SLUB object 'dsa0' (offset 74, size 31)!\n[ 1987.170845] ------------[ cut here ]------------\n[ 1987.176086] kernel BUG at mm/usercopy.c:102!\n[ 1987.180946] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI\n[ 1987.186866] CPU: 17 PID: 528 Comm: kworker/17:1 Not tainted 6.8.0-rc2+ #5\n[ 1987.194537] Hardware name: Intel Corporation AvenueCity/AvenueCity, BIOS BHSDCRB1.86B.2492.D03.2307181620 07/18/2023\n[ 1987.206405] Workqueue: wq0.0 idxd_evl_fault_work [idxd]\n[ 1987.212338] RIP: 0010:usercopy_abort+0x72/0x90\n[ 1987.217381] Code: 58 65 9c 50 48 c7 c2 17 85 61 9c 57 48 c7 c7 98 fd 6b 9c 48 0f 44 d6 48 c7 c6 b3 08 62 9c 4c 89 d1 49 0f 44 f3 e8 1e 2e d5 ff <0f> 0b 49 c7 c1 9e 42 61 9c 4c 89 cf 4d 89 c8 eb a9 66 66 2e 0f 1f\n[ 1987.238505] RSP: 0018:ff62f5cf20607d60 EFLAGS: 00010246\n[ 1987.244423] RAX: 000000000000005f RBX: 000000000000001f RCX: 0000000000000000\n[ 1987.252480] RDX: 0000000000000000 RSI: ffffffff9c61429e RDI: 00000000ffffffff\n[ 1987.260538] RBP: ff62f5cf20607d78 R08: ff2a6a89ef3fffe8 R09: 00000000fffeffff\n[ 1987.268595] R10: ff2a6a89eed00000 R11: 0000000000000003 R12: ff2a66934849c89a\n[ 1987.276652] R13: 0000000000000001 R14: ff2a66934849c8b9 R15: ff2a66934849c899\n[ 1987.284710] FS:  0000000000000000(0000) GS:ff2a66b22fe40000(0000) knlGS:0000000000000000\n[ 1987.293850] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[ 1987.300355] CR2: 00007fe291a37000 CR3: 000000010fbd4005 CR4: 0000000000f71ef0\n[ 1987.308413] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n[ 1987.316470] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400\n[ 1987.324527] PKRU: 55555554\n[ 1987.327622] Call Trace:\n[ 1987.330424]  <TASK>\n[ 1987.332826]  ? show_regs+0x6e/0x80\n[ 1987.336703]  ? die+0x3c/0xa0\n[ 1987.339988]  ? do_trap+0xd4/0xf0\n[ 1987.343662]  ? do_error_trap+0x75/0xa0\n[ 1987.347922]  ? usercopy_abort+0x72/0x90\n[ 1987.352277]  ? exc_invalid_op+0x57/0x80\n[ 1987.356634]  ? usercopy_abort+0x72/0x90\n[ 1987.360988]  ? asm_exc_invalid_op+0x1f/0x30\n[ 1987.365734]  ? usercopy_abort+0x72/0x90\n[ 1987.370088]  __check_heap_object+0xb7/0xd0\n[ 1987.374739]  __check_object_size+0x175/0x2d0\n[ 1987.379588]  idxd_copy_cr+0xa9/0x130 [idxd]\n[ 1987.384341]  idxd_evl_fault_work+0x127/0x390 [idxd]\n[ 1987.389878]  process_one_work+0x13e/0x300\n[ 1987.394435]  ? __pfx_worker_thread+0x10/0x10\n[ 1987.399284]  worker_thread+0x2f7/0x420\n[ 1987.403544]  ? _raw_spin_unlock_irqrestore+0x2b/0x50\n[ 1987.409171]  ? __pfx_worker_thread+0x10/0x10\n[ 1987.414019]  kthread+0x107/0x140\n[ 1987.417693]  ? __pfx_kthread+0x10/0x10\n[ 1987.421954]  ret_from_fork+0x3d/0x60\n[ 1987.426019]  ? __pfx_kthread+0x10/0x10\n[ 1987.430281]  ret_from_fork_asm+0x1b/0x30\n[ 1987.434744]  </TASK>\n\nThe issue arises because event log cache is created using\nkmem_cache_create() which is not suitable for user copy.\n\nFix the issue by creating event log cache with\nkmem_cache_create_usercopy(), ensuring safe user copy."
                }
            ],
            "affected": [
                {
                    "product": "Linux",
                    "vendor": "Linux",
                    "defaultStatus": "unaffected",
                    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
                    "programFiles": [
                        "drivers/dma/idxd/init.c"
                    ],
                    "versions": [
                        {
                            "version": "c2f156bf168f",
                            "lessThan": "5e3022ea42e4",
                            "status": "affected",
                            "versionType": "git"
                        },
                        {
                            "version": "c2f156bf168f",
                            "lessThan": "bb71e0403231",
                            "status": "affected",
                            "versionType": "git"
                        },
                        {
                            "version": "c2f156bf168f",
                            "lessThan": "d3ea125df37d",
                            "status": "affected",
                            "versionType": "git"
                        }
                    ]
                },
                {
                    "product": "Linux",
                    "vendor": "Linux",
                    "defaultStatus": "affected",
                    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
                    "programFiles": [
                        "drivers/dma/idxd/init.c"
                    ],
                    "versions": [
                        {
                            "version": "6.4",
                            "status": "affected"
                        },
                        {
                            "version": "0",
                            "lessThan": "6.4",
                            "status": "unaffected",
                            "versionType": "custom"
                        },
                        {
                            "version": "6.6.21",
                            "lessThanOrEqual": "6.6.*",
                            "status": "unaffected",
                            "versionType": "custom"
                        },
                        {
                            "version": "6.7.9",
                            "lessThanOrEqual": "6.7.*",
                            "status": "unaffected",
                            "versionType": "custom"
                        },
                        {
                            "version": "6.8",
                            "lessThanOrEqual": "*",
                            "status": "unaffected",
                            "versionType": "original_commit_for_fix"
                        }
                    ]
                }
            ],
            "references": [
                {
                    "url": "https://git.kernel.org/stable/c/5e3022ea42e490a36ec6f2cfa6fc603deb0bace4"
                },
                {
                    "url": "https://git.kernel.org/stable/c/bb71e040323175e18c233a9afef32ba14fa64eb7"
                },
                {
                    "url": "https://git.kernel.org/stable/c/d3ea125df37dc37972d581b74a5d3785c3f283ab"
                }
            ],
            "title": "dmaengine: idxd: Ensure safe user copy of completion record",
            "x_generator": {
                "engine": "bippy-a5840b7849dd"
            }
        },
        "adp": [
            {
                "title": "CISA ADP Vulnrichment",
                "metrics": [
                    {
                        "other": {
                            "type": "ssvc",
                            "content": {
                                "id": "CVE-2024-26746",
                                "role": "CISA Coordinator",
                                "options": [
                                    {
                                        "Exploitation": "none"
                                    },
                                    {
                                        "Automatable": "no"
                                    },
                                    {
                                        "Technical Impact": "partial"
                                    }
                                ],
                                "version": "2.0.3",
                                "timestamp": "2024-04-04T16:00:23.530084Z"
                            }
                        }
                    }
                ],
                "providerMetadata": {
                    "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
                    "shortName": "CISA-ADP",
                    "dateUpdated": "2024-06-04T17:48:37.499Z"
                }
            },
            {
                "providerMetadata": {
                    "orgId": "af854a3a-2127-422b-91ae-364da2661108",
                    "shortName": "CVE",
                    "dateUpdated": "2024-08-02T00:14:13.241Z"
                },
                "title": "CVE Program Container",
                "references": [
                    {
                        "url": "https://git.kernel.org/stable/c/5e3022ea42e490a36ec6f2cfa6fc603deb0bace4",
                        "tags": [
                            "x_transferred"
                        ]
                    },
                    {
                        "url": "https://git.kernel.org/stable/c/bb71e040323175e18c233a9afef32ba14fa64eb7",
                        "tags": [
                            "x_transferred"
                        ]
                    },
                    {
                        "url": "https://git.kernel.org/stable/c/d3ea125df37dc37972d581b74a5d3785c3f283ab",
                        "tags": [
                            "x_transferred"
                        ]
                    }
                ]
            }
        ]
    }
}