Linux Kernel User Read Access Vulnerability in __get_user() Function

A vulnerability exists in the Linux kernel for the parisc architecture, specifically in the handling of user read access by the __get_user() function. Due to the current implementation, read access interruptions are only activated at privilege levels 2 and 3. Since the kernel operates at privilege level 0, __get_user() fails to trigger a necessary read access interruption, allowing user code to inadvertently access read-protected memory addresses through system calls. This issue has been addressed by modifying the __get_user() function to probe read access rights at privilege level 3 (PRIV_USER) and to return an error if access is denied.

Impact

Exploitation of this vulnerability could lead to unauthorized access to read-protected memory addresses by user code, potentially allowing for the disclosure of sensitive information or the manipulation of data in a way that could disrupt system operations.

Reproduction

The vulnerability can be reproduced by executing user code that makes a system call while the kernel is running on the parisc architecture. The __get_user() function will not trigger a read access interruption, allowing the user code to access read-protected memory.

Remediation

Users can upgrade to the latest version of the Linux kernel where this vulnerability has been fixed. Instructions for downloading the patched version are available on the Linux kernel official website.