CVE-2024-26746 in Linux
Summary
by MITRE • 04/04/2024
In the Linux kernel, the following vulnerability has been resolved:
dmaengine: idxd: Ensure safe user copy of completion record
If CONFIG_HARDENED_USERCOPY is enabled, copying completion record from event log cache to user triggers a kernel bug.
[ 1987.159822] usercopy: Kernel memory exposure attempt detected from SLUB object 'dsa0' (offset 74, size 31)!
[ 1987.170845] ------------[ cut here ]------------
[ 1987.176086] kernel BUG at mm/usercopy.c:102!
[ 1987.180946] invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
[ 1987.186866] CPU: 17 PID: 528 Comm: kworker/17:1 Not tainted 6.8.0-rc2+ #5
[ 1987.194537] Hardware name: Intel Corporation AvenueCity/AvenueCity, BIOS BHSDCRB1.86B.2492.D03.2307181620 07/18/2023
[ 1987.206405] Workqueue: wq0.0 idxd_evl_fault_work [idxd]
[ 1987.212338] RIP: 0010:usercopy_abort+0x72/0x90
[ 1987.217381] Code: 58 65 9c 50 48 c7 c2 17 85 61 9c 57 48 c7 c7 98 fd 6b 9c 48 0f 44 d6 48 c7 c6 b3 08 62 9c 4c 89 d1 49 0f 44 f3 e8 1e 2e d5 ff 0b 49 c7 c1 9e 42 61 9c 4c 89 cf 4d 89 c8 eb a9 66 66 2e 0f 1f
[ 1987.238505] RSP: 0018:ff62f5cf20607d60 EFLAGS: 00010246
[ 1987.244423] RAX: 000000000000005f RBX: 000000000000001f RCX: 0000000000000000
[ 1987.252480] RDX: 0000000000000000 RSI: ffffffff9c61429e RDI: 00000000ffffffff
[ 1987.260538] RBP: ff62f5cf20607d78 R08: ff2a6a89ef3fffe8 R09: 00000000fffeffff
[ 1987.268595] R10: ff2a6a89eed00000 R11: 0000000000000003 R12: ff2a66934849c89a
[ 1987.276652] R13: 0000000000000001 R14: ff2a66934849c8b9 R15: ff2a66934849c899
[ 1987.284710] FS: 0000000000000000(0000) GS:ff2a66b22fe40000(0000) knlGS:0000000000000000
[ 1987.293850] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1987.300355] CR2: 00007fe291a37000 CR3: 000000010fbd4005 CR4: 0000000000f71ef0
[ 1987.308413] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 1987.316470] DR3: 0000000000000000 DR6: 00000000fffe07f0 DR7: 0000000000000400
[ 1987.324527] PKRU: 55555554
[ 1987.327622] Call Trace:
[ 1987.330424]
[ 1987.332826] ? show_regs+0x6e/0x80
[ 1987.336703] ? die+0x3c/0xa0
[ 1987.339988] ? do_trap+0xd4/0xf0
[ 1987.343662] ? do_error_trap+0x75/0xa0
[ 1987.347922] ? usercopy_abort+0x72/0x90
[ 1987.352277] ? exc_invalid_op+0x57/0x80
[ 1987.356634] ? usercopy_abort+0x72/0x90
[ 1987.360988] ? asm_exc_invalid_op+0x1f/0x30
[ 1987.365734] ? usercopy_abort+0x72/0x90
[ 1987.370088] __check_heap_object+0xb7/0xd0
[ 1987.374739] __check_object_size+0x175/0x2d0
[ 1987.379588] idxd_copy_cr+0xa9/0x130 [idxd]
[ 1987.384341] idxd_evl_fault_work+0x127/0x390 [idxd]
[ 1987.389878] process_one_work+0x13e/0x300
[ 1987.394435] ? __pfx_worker_thread+0x10/0x10
[ 1987.399284] worker_thread+0x2f7/0x420
[ 1987.403544] ? _raw_spin_unlock_irqrestore+0x2b/0x50
[ 1987.409171] ? __pfx_worker_thread+0x10/0x10
[ 1987.414019] kthread+0x107/0x140
[ 1987.417693] ? __pfx_kthread+0x10/0x10
[ 1987.421954] ret_from_fork+0x3d/0x60
[ 1987.426019] ? __pfx_kthread+0x10/0x10
[ 1987.430281] ret_from_fork_asm+0x1b/0x30
[ 1987.434744]
The issue arises because event log cache is created using kmem_cache_create() which is not suitable for user copy.
Fix the issue by creating event log cache with kmem_cache_create_usercopy(), ensuring safe user copy.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 08/03/2025
The vulnerability described in CVE-2024-26746 resides within the Linux kernel's DMA engine subsystem, specifically affecting the Intel Data Streaming Accelerator (IDX) driver. This flaw manifests when the CONFIG_HARDENED_USERCOPY configuration option is enabled, which enforces stricter checks on memory copy operations between kernel and user space. The issue stems from improper handling of user copy operations when transferring completion records from an event log cache to user space, triggering a kernel bug due to unsafe memory access patterns.
The technical root cause involves the use of kmem_cache_create() for allocating the event log cache, which does not account for the requirements of safe user copy operations. When the kernel attempts to copy data from this cache to user space, the hardened usercopy mechanism detects a potential memory exposure attempt, as indicated by the error message "usercopy: Kernel memory exposure attempt detected from SLUB object 'dsa0'". The kernel's usercopy subsystem, designed to prevent information leaks, triggers a BUG at mm/usercopy.c:102, causing a kernel panic and system instability. The stack trace reveals the execution path leading to the failure, with idxd_copy_cr() being the function where the unsafe copy operation occurs, ultimately called through idxd_evl_fault_work() in the workqueue context.
This vulnerability presents a significant operational impact as it can lead to system crashes and potential information disclosure when the IDX driver is active and usercopy hardening is enabled. The flaw affects systems using the Intel IDX DMA engine, particularly those with hardened security configurations, making it exploitable in environments where kernel memory protection mechanisms are enforced. The kernel panic results in denial of service, requiring system reboot and potentially exposing sensitive data if the memory exposure occurs before the kernel panic. According to CWE-121, this represents a classic buffer overflow condition where kernel memory is copied to user space without proper bounds checking, and aligns with ATT&CK technique T1068 which involves privilege escalation through kernel vulnerabilities.
The mitigation strategy involves modifying the kernel driver to use kmem_cache_create_usercopy() instead of kmem_cache_create() when initializing the event log cache. This change ensures that the cache allocation is properly configured to handle user copy operations safely, preventing the kernel from detecting memory exposure attempts during data transfer. The fix directly addresses the core issue by ensuring that the memory allocation mechanism is compatible with the hardened usercopy subsystem, eliminating the kernel BUG and preventing the system crash. System administrators should ensure that affected systems are updated with kernel versions containing this fix, particularly in environments where CONFIG_HARDENED_USERCOPY is enabled and the IDX DMA engine is in use. The solution maintains the functionality of the driver while providing the necessary security guarantees required by modern kernel hardening configurations.