CVE-2024-56678
📋 TL;DR
A Linux kernel vulnerability in powerpc/mm/fault allows improper handling of page faults when reading /proc/kcore, potentially causing false KFENCE error reports or memory corruption. This affects Linux systems with powerpc architecture when /proc/kcore is accessed. The vulnerability can be triggered by reading /proc/kcore, such as with dd commands.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel memory corruption leading to system crash, denial of service, or potential privilege escalation if combined with other vulnerabilities.
Likely Case
False KFENCE error reports causing system instability, kernel panics, or denial of service when /proc/kcore is accessed.
If Mitigated
Minor system instability with false error reports but no security impact if proper access controls prevent unauthorized /proc/kcore access.
🎯 Exploit Status
Exploitation requires local access and ability to read /proc/kcore. More sophisticated exploitation could potentially lead to memory corruption.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Patches available in stable kernel versions via provided git commits
Vendor Advisory: https://git.kernel.org/stable/c/06dbbb4d5f7126b6307ab807cbf04ecfc459b933
Restart Required: Yes
Instructions:
1. Update Linux kernel to patched version
2. Apply specific git commits: 06dbbb4d5f7126b6307ab807cbf04ecfc459b933, 15f78d2c3d1452645bd8b9da909b0ca266f83c43, 4d2655754e94741b159aa807b72ea85518a65fd5, 7eaeb7a49b6d16640f9f3c9074c05175d74c710b, 9ea8d8bf9b625e8ad3be6b0432aecdc549914121
3. Reboot system
🔧 Temporary Workarounds
Restrict /proc/kcore access
linuxLimit access to /proc/kcore to prevent triggering the vulnerability
chmod 600 /proc/kcore
setfacl -m u:root:r-- /proc/kcore
Disable KFENCE
linuxDisable KFENCE feature to prevent false error reports
echo 0 > /sys/kernel/debug/kfence/enabled
🧯 If You Can't Patch
- Restrict /proc/kcore access to root only
- Monitor system logs for KFENCE error reports and investigate any occurrences
🔍 How to Verify
Check if Vulnerable:
Check if system is powerpc architecture and has /proc/kcore accessible. Test with: dd if=/proc/kcore of=/dev/null bs=1M count=1 and monitor for KFENCE errors.Check Version:
uname -rVerify Fix Applied:
Check kernel version is patched or test dd command no longer produces KFENCE errors in system logs.📡 Detection & Monitoring
Log Indicators:
- KFENCE: invalid read in copy_from_kernel_nofault
- KFENCE: use-after-free read in copy_from_kernel_nofault
- kernel page fault errors when accessing /proc/kcore
Network Indicators:
- None - local vulnerability only
SIEM Query:
source="kernel" AND ("KFENCE: invalid read" OR "KFENCE: use-after-free" OR "/proc/kcore" AND "page fault")🔗 References
- https://git.kernel.org/stable/c/06dbbb4d5f7126b6307ab807cbf04ecfc459b933
- https://git.kernel.org/stable/c/15f78d2c3d1452645bd8b9da909b0ca266f83c43
- https://git.kernel.org/stable/c/4d2655754e94741b159aa807b72ea85518a65fd5
- https://git.kernel.org/stable/c/7eaeb7a49b6d16640f9f3c9074c05175d74c710b
- https://git.kernel.org/stable/c/9ea8d8bf9b625e8ad3be6b0432aecdc549914121
- https://git.kernel.org/stable/c/e0a470b5733c1fe068d5c58b0bb91ad539604bc6
- https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html
