CVE-2024-35871

{"id": "CVE-2024-35871", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 1.8}]}, "published": "2024-05-19T09:15:08.507", "references": [{"url": "https://git.kernel.org/stable/c/00effef72c98294edb1efa87ffa0f6cfb61b36a4", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/9abc3e6f1116adb7a2d4fbb8ce20c37916976bf5", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d14fa1fcf69db9d070e75f1c4425211fa619dfc8", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/d8dcba0691b8e42bddb61aab201e4d918a08e5d9", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/dff6072124f6df77bfd36951fbd88565746980ef", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f6583444d7e78dae750798552b65a2519ff3ca84", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/00effef72c98294edb1efa87ffa0f6cfb61b36a4", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/9abc3e6f1116adb7a2d4fbb8ce20c37916976bf5", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/d14fa1fcf69db9d070e75f1c4425211fa619dfc8", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/d8dcba0691b8e42bddb61aab201e4d918a08e5d9", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/dff6072124f6df77bfd36951fbd88565746980ef", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/f6583444d7e78dae750798552b65a2519ff3ca84", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://lists.debian.org/debian-lts-announce/2024/06/msg00017.html", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: process: Fix kernel gp leakage\n\nchildregs represents the registers which are active for the new thread\nin user context. For a kernel thread, childregs->gp is never used since\nthe kernel gp is not touched by switch_to. For a user mode helper, the\ngp value can be observed in user space after execve or possibly by other\nmeans.\n\n[From the email thread]\n\nThe /* Kernel thread */ comment is somewhat inaccurate in that it is also used\nfor user_mode_helper threads, which exec a user process, e.g. /sbin/init or\nwhen /proc/sys/kernel/core_pattern is a pipe. Such threads do not have\nPF_KTHREAD set and are valid targets for ptrace etc. even before they exec.\n\nchildregs is the *user* context during syscall execution and it is observable\nfrom userspace in at least five ways:\n\n1. kernel_execve does not currently clear integer registers, so the starting\n register state for PID 1 and other user processes started by the kernel has\n sp = user stack, gp = kernel __global_pointer$, all other integer registers\n zeroed by the memset in the patch comment.\n\n This is a bug in its own right, but I'm unwilling to bet that it is the only\n way to exploit the issue addressed by this patch.\n\n2. ptrace(PTRACE_GETREGSET): you can PTRACE_ATTACH to a user_mode_helper thread\n before it execs, but ptrace requires SIGSTOP to be delivered which can only\n happen at user/kernel boundaries.\n\n3. /proc/*/task/*/syscall: this is perfectly happy to read pt_regs for\n user_mode_helpers before the exec completes, but gp is not one of the\n registers it returns.\n\n4. PERF_SAMPLE_REGS_USER: LOCKDOWN_PERF normally prevents access to kernel\n addresses via PERF_SAMPLE_REGS_INTR, but due to this bug kernel addresses\n are also exposed via PERF_SAMPLE_REGS_USER which is permitted under\n LOCKDOWN_PERF. I have not attempted to write exploit code.\n\n5. Much of the tracing infrastructure allows access to user registers. I have\n not attempted to determine which forms of tracing allow access to user\n registers without already allowing access to kernel registers."}, {"lang": "es", "value": "En el kernel de Linux, se resolvi\u00f3 la siguiente vulnerabilidad: riscv: proceso: corregir la fuga de gp del kernel. Los registros secundarios representan los registros que est\u00e1n activos para el nuevo hilo en el contexto del usuario. Para un subproceso del kernel, childregs->gp nunca se usa ya que switch_to no toca el gp del kernel. Para un asistente en modo de usuario, el valor gp se puede observar en el espacio del usuario despu\u00e9s de execve o posiblemente por otros medios. [Del hilo del correo electr\u00f3nico] El comentario /* Hilo del kernel */ es algo inexacto porque tambi\u00e9n se usa para los hilos user_mode_helper, que ejecutan un proceso de usuario, por ejemplo, /sbin/init o cuando /proc/sys/kernel/core_pattern es un tubo. Dichos subprocesos no tienen PF_KTHREAD configurado y son objetivos v\u00e1lidos para ptrace, etc., incluso antes de ejecutarse. childregs es el contexto *usuario* durante la ejecuci\u00f3n de la llamada al sistema y es observable desde el espacio de usuario de al menos cinco maneras: 1. kernel_execve actualmente no borra registros enteros, por lo que el estado de registro inicial para PID 1 y otros procesos de usuario iniciados por el n\u00facleo tiene sp = pila de usuario, gp = kernel __global_pointer$, todos los dem\u00e1s registros enteros puestos a cero por el memset en el comentario del parche. Esto es un error en s\u00ed mismo, pero no estoy dispuesto a apostar que es la \u00fanica forma de explotar el problema solucionado por este parche. 2. ptrace(PTRACE_GETREGSET): puede PTRACE_ATTACH a un subproceso user_mode_helper antes de que se ejecute, pero ptrace requiere que se entregue SIGSTOP, lo que solo puede ocurrir en los l\u00edmites del usuario/kernel. 3. /proc/*/task/*/syscall: es un placer leer pt_regs para user_mode_helpers antes de que se complete el ejecutivo, pero gp no es uno de los registros que devuelve. 4. PERF_SAMPLE_REGS_USER: LOCKDOWN_PERF normalmente impide el acceso a las direcciones del kernel a trav\u00e9s de PERF_SAMPLE_REGS_INTR, pero debido a este error, las direcciones del kernel tambi\u00e9n se exponen a trav\u00e9s de PERF_SAMPLE_REGS_USER, que est\u00e1 permitido bajo LOCKDOWN_PERF. No he intentado escribir c\u00f3digo de explotaci\u00f3n. 5. Gran parte de la infraestructura de rastreo permite el acceso a los registros de usuarios. No he intentado determinar qu\u00e9 formas de rastreo permiten el acceso a los registros de usuarios sin permitir ya el acceso a los registros del kernel."}], "lastModified": "2026-01-22T20:21:18.273", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5CF7D35C-702E-491C-99F5-A305049ACC51", "versionEndExcluding": "5.10.216", "versionStartIncluding": "4.15"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "577E212E-7E95-4A71-9B5C-F1D1A3AFFF46", "versionEndExcluding": "5.15.154", "versionStartIncluding": "5.11"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "325665BF-2409-49D9-B391-39AD4566FDBD", "versionEndExcluding": "6.1.85", "versionStartIncluding": "5.16"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C520696A-A594-4FFC-A32D-12DA535CE911", "versionEndExcluding": "6.6.26", "versionStartIncluding": "6.2"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DBD6C99E-4250-4DFE-8447-FF2075939D10", "versionEndExcluding": "6.8.5", "versionStartIncluding": "6.7"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.9:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "22BEDD49-2C6D-402D-9DBF-6646F6ECD10B"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.9:rc2:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DF73CB2A-DFFD-46FB-9BFE-AA394F27EA37"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}