In the Linux kernel, the following vulnerability has been resolved:
arm64: ptrace: fix partial SETREGSET for NTARMFPMR
Currently fpmr_set() doesn't initialize the temporary 'fpmr' variable, and a SETREGSET call with a length of zero will leave this uninitialized. Consequently an arbitrary value will be written back to target->thread.uw.fpmr, potentially leaking up to 64 bits of memory from the kernel stack. The read is limited to a specific slot on the stack, and the issue does not provide a write mechanism.
Fix this by initializing the temporary value before copying the regset from userspace, as for other regsets (e.g. NTPRSTATUS, NTPRFPREG, NTARMSYSTEM_CALL). In the case of a zero-length write, the existing contents of FPMR will be retained.
Before this patch:
| # ./fpmr-test | Attempting to write NTARMFPMR::fpmr = 0x900d900d900d900d | SETREGSET(nt=0x40e, len=8) wrote 8 bytes | | Attempting to read NTARMFPMR::fpmr | GETREGSET(nt=0x40e, len=8) read 8 bytes | Read NTARMFPMR::fpmr = 0x900d900d900d900d | | Attempting to write NTARMFPMR (zero length) | SETREGSET(nt=0x40e, len=0) wrote 0 bytes | | Attempting to read NTARMFPMR::fpmr | GETREGSET(nt=0x40e, len=8) read 8 bytes | Read NTARMFPMR::fpmr = 0xffff800083963d50
After this patch:
| # ./fpmr-test | Attempting to write NTARMFPMR::fpmr = 0x900d900d900d900d | SETREGSET(nt=0x40e, len=8) wrote 8 bytes | | Attempting to read NTARMFPMR::fpmr | GETREGSET(nt=0x40e, len=8) read 8 bytes | Read NTARMFPMR::fpmr = 0x900d900d900d900d | | Attempting to write NTARMFPMR (zero length) | SETREGSET(nt=0x40e, len=0) wrote 0 bytes | | Attempting to read NTARMFPMR::fpmr | GETREGSET(nt=0x40e, len=8) read 8 bytes | Read NTARMFPMR::fpmr = 0x900d900d900d900d