Linux Kernel up to 6.11.5 x86 valid_user_address information exposure

Summaryinfo

A vulnerability, which was classified as problematic, has been found in Linux Kernel up to 6.11.5. Affected by this issue is the function valid_user_address of the component x86. This manipulation causes an unknown weakness. This vulnerability is tracked as CVE-2024-50102. No exploit exists. It is advisable to upgrade the affected component.

Detailsinfo

A vulnerability has been found in Linux Kernel up to 6.11.5 and classified as problematic. Affected by this vulnerability is the function valid_user_address of the component x86. The CWE definition for the vulnerability is CWE-203. The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not. The impact remains unknown. The summary by CVE is:

In the Linux kernel, the following vulnerability has been resolved: x86: fix user address masking non-canonical speculation issue It turns out that AMD has a "Meltdown Lite(tm)" issue with non-canonical accesses in kernel space. And so using just the high bit to decide whether an access is in user space or kernel space ends up with the good old "leak speculative data" if you have the right gadget using the result: CVE-2020-12965 “Transient Execution of Non-Canonical Accesses“ Now, the kernel surrounds the access with a STAC/CLAC pair, and those instructions end up serializing execution on older Zen architectures, which closes the speculation window. But that was true only up until Zen 5, which renames the AC bit [1]. That improves performance of STAC/CLAC a lot, but also means that the speculation window is now open. Note that this affects not just the new address masking, but also the regular valid_user_address() check used by access_ok(), and the asm version of the sign bit check in the get_user() helpers. It does not affect put_user() or clear_user() variants, since there's no speculative result to be used in a gadget for those operations.

It is possible to read the advisory at git.kernel.org. This vulnerability is known as CVE-2024-50102 since 10/21/2024. Technical details of the vulnerability are known, but there is no available exploit. The attack technique deployed by this issue is T1592 according to MITRE ATT&CK.

The vulnerability scanner Nessus provides a plugin with the ID 216493 (Ubuntu 24.10 : Linux kernel vulnerabilities (USN-7276-1)), which helps to determine the existence of the flaw in a target environment.

Upgrading to version 6.11.6 eliminates this vulnerability. Applying the patch 291313693677/86e6b1547b3d is able to eliminate this problem. The bugfix is ready for download at git.kernel.org. The best possible mitigation is suggested to be upgrading to the latest version.

The vulnerability is also documented in the databases at Tenable (216493), EUVD (EUVD-2024-44577) and CERT Bund (WID-SEC-2024-3339). Be aware that VulDB is the high quality source for vulnerability data.

Affected

• Google Container-Optimized OS
• Debian Linux
• Amazon Linux 2
• Red Hat Enterprise Linux
• Ubuntu Linux
• SUSE Linux
• Oracle Linux
• Open Source eCryptfs
• SUSE openSUSE
• RESF Rocky Linux
• IBM QRadar SIEM

Productinfo

Type

• Operating System

Vendor

• Linux

Name

• Kernel

Version

• 6.11.0
• 6.11.1
• 6.11.2
• 6.11.3
• 6.11.4
• 6.11.5

License

• open-source

Website

• Vendor: https://www.kernel.org/

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Be aware that VulDB is the high quality source for vulnerability data.

Discussion