{"id":"CVE-2024-26906","summary":"x86/mm: Disallow vsyscall page read for copy_from_kernel_nofault()","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nx86/mm: Disallow vsyscall page read for copy_from_kernel_nofault()\n\nWhen trying to use copy_from_kernel_nofault() to read vsyscall page\nthrough a bpf program, the following oops was reported:\n\n BUG: unable to handle page fault for address: ffffffffff600000\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 3231067 P4D 3231067 PUD 3233067 PMD 3235067 PTE 0\n Oops: 0000 [#1] PREEMPT SMP PTI\n CPU: 1 PID: 20390 Comm: test_progs ...... 6.7.0+ #58\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) ......\n RIP: 0010:copy_from_kernel_nofault+0x6f/0x110\n ......\n Call Trace:\n \u003cTASK\u003e\n ? copy_from_kernel_nofault+0x6f/0x110\n bpf_probe_read_kernel+0x1d/0x50\n bpf_prog_2061065e56845f08_do_probe_read+0x51/0x8d\n trace_call_bpf+0xc5/0x1c0\n perf_call_bpf_enter.isra.0+0x69/0xb0\n perf_syscall_enter+0x13e/0x200\n syscall_trace_enter+0x188/0x1c0\n do_syscall_64+0xb5/0xe0\n entry_SYSCALL_64_after_hwframe+0x6e/0x76\n \u003c/TASK\u003e\n ......\n ---[ end trace 0000000000000000 ]---\n\nThe oops is triggered when:\n\n1) A bpf program uses bpf_probe_read_kernel() to read from the vsyscall\npage and invokes copy_from_kernel_nofault() which in turn calls\n__get_user_asm().\n\n2) Because the vsyscall page address is not readable from kernel space,\na page fault exception is triggered accordingly.\n\n3) handle_page_fault() considers the vsyscall page address as a user\nspace address instead of a kernel space address. This results in the\nfix-up setup by bpf not being applied and a page_fault_oops() is invoked\ndue to SMAP.\n\nConsidering handle_page_fault() has already considered the vsyscall page\naddress as a userspace address, fix the problem by disallowing vsyscall\npage read for copy_from_kernel_nofault().","modified":"2026-04-02T10:06:19.422897Z","published":"2024-04-17T10:27:53.573Z","related":["ALSA-2024:4211","ALSA-2024:4352","SUSE-SU-2024:1642-1","SUSE-SU-2024:1645-1","SUSE-SU-2024:1650-1","SUSE-SU-2024:2135-1","SUSE-SU-2024:2203-1","SUSE-SU-2024:2973-1","SUSE-SU-2024:4315-1","SUSE-SU-2024:4364-1","SUSE-SU-2024:4376-1","SUSE-SU-2025:20008-1","SUSE-SU-2025:20028-1"],"database_specific":{"cna_assigner":"Linux","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/26xxx/CVE-2024-26906.json"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/29bd6f86904682adafe9affbc7f79b14defcaff8"},{"type":"WEB","url":"https://git.kernel.org/stable/c/32019c659ecfe1d92e3bf9fcdfbb11a7c70acd58"},{"type":"WEB","url":"https://git.kernel.org/stable/c/57f78c46f08198e1be08ffe99c4c1ccc12855bf5"},{"type":"WEB","url":"https://git.kernel.org/stable/c/6e4694e65b6db4c3de125115dd4f55848cc48381"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e8a67fe34b76a49320b33032228a794f40b0316b"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f175de546a3eb77614d94d4c02550181c0a8493e"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/26xxx/CVE-2024-26906.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-26906"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"75a1a607bb7e6d918be3aca11ec2214a275392f4"},{"fixed":"6e4694e65b6db4c3de125115dd4f55848cc48381"},{"fixed":"e8a67fe34b76a49320b33032228a794f40b0316b"},{"fixed":"f175de546a3eb77614d94d4c02550181c0a8493e"},{"fixed":"57f78c46f08198e1be08ffe99c4c1ccc12855bf5"},{"fixed":"29bd6f86904682adafe9affbc7f79b14defcaff8"},{"fixed":"32019c659ecfe1d92e3bf9fcdfbb11a7c70acd58"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-26906.json"}}],"schema_version":"1.7.5"}