CVE-2024-57878

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-57878
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-57878.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-57878
Downstream
Related
Published
2025-01-11T14:49:04.088Z
Modified
2025-11-20T07:31:24.381097Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H CVSS Calculator
Summary
arm64: ptrace: fix partial SETREGSET for NT_ARM_FPMR
Details

In the Linux kernel, the following vulnerability has been resolved:

arm64: ptrace: fix partial SETREGSET for NTARMFPMR

Currently fpmr_set() doesn't initialize the temporary 'fpmr' variable, and a SETREGSET call with a length of zero will leave this uninitialized. Consequently an arbitrary value will be written back to target->thread.uw.fpmr, potentially leaking up to 64 bits of memory from the kernel stack. The read is limited to a specific slot on the stack, and the issue does not provide a write mechanism.

Fix this by initializing the temporary value before copying the regset from userspace, as for other regsets (e.g. NTPRSTATUS, NTPRFPREG, NTARMSYSTEM_CALL). In the case of a zero-length write, the existing contents of FPMR will be retained.

Before this patch:

| # ./fpmr-test | Attempting to write NTARMFPMR::fpmr = 0x900d900d900d900d | SETREGSET(nt=0x40e, len=8) wrote 8 bytes | | Attempting to read NTARMFPMR::fpmr | GETREGSET(nt=0x40e, len=8) read 8 bytes | Read NTARMFPMR::fpmr = 0x900d900d900d900d | | Attempting to write NTARMFPMR (zero length) | SETREGSET(nt=0x40e, len=0) wrote 0 bytes | | Attempting to read NTARMFPMR::fpmr | GETREGSET(nt=0x40e, len=8) read 8 bytes | Read NTARMFPMR::fpmr = 0xffff800083963d50

After this patch:

| # ./fpmr-test | Attempting to write NTARMFPMR::fpmr = 0x900d900d900d900d | SETREGSET(nt=0x40e, len=8) wrote 8 bytes | | Attempting to read NTARMFPMR::fpmr | GETREGSET(nt=0x40e, len=8) read 8 bytes | Read NTARMFPMR::fpmr = 0x900d900d900d900d | | Attempting to write NTARMFPMR (zero length) | SETREGSET(nt=0x40e, len=0) wrote 0 bytes | | Attempting to read NTARMFPMR::fpmr | GETREGSET(nt=0x40e, len=8) read 8 bytes | Read NTARMFPMR::fpmr = 0x900d900d900d900d

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
4035c22ef7d43a6c00d6a6584c60e902b95b46af
Fixed
8ab73c34e3c5b580721696665eabd799346bc50b
Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
4035c22ef7d43a6c00d6a6584c60e902b95b46af
Fixed
f5d71291841aecfe5d8435da2dfa7f58ccd18bc8

Affected versions

v6.*

v6.10
v6.10-rc1
v6.10-rc2
v6.10-rc3
v6.10-rc4
v6.10-rc5
v6.10-rc6
v6.10-rc7
v6.11
v6.11-rc1
v6.11-rc2
v6.11-rc3
v6.11-rc4
v6.11-rc5
v6.11-rc6
v6.11-rc7
v6.12
v6.12-rc1
v6.12-rc2
v6.12-rc3
v6.12-rc4
v6.12-rc5
v6.12-rc6
v6.12-rc7
v6.12.1
v6.12.2
v6.12.3
v6.12.4
v6.13-rc1
v6.8
v6.8-rc4
v6.8-rc5
v6.8-rc6
v6.8-rc7
v6.9
v6.9-rc1
v6.9-rc2
v6.9-rc3
v6.9-rc4
v6.9-rc5
v6.9-rc6
v6.9-rc7

Database specific

vanir_signatures

[
    {
        "signature_type": "Line",
        "deprecated": false,
        "signature_version": "v1",
        "target": {
            "file": "arch/arm64/kernel/ptrace.c"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8ab73c34e3c5b580721696665eabd799346bc50b",
        "digest": {
            "line_hashes": [
                "85678792937530487241594614626280916590",
                "30646253045294887539164721217463491484",
                "302703693188505980251779644764950892288"
            ],
            "threshold": 0.9
        },
        "id": "CVE-2024-57878-025b3921"
    },
    {
        "signature_type": "Function",
        "deprecated": false,
        "signature_version": "v1",
        "target": {
            "file": "arch/arm64/kernel/ptrace.c",
            "function": "fpmr_set"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@8ab73c34e3c5b580721696665eabd799346bc50b",
        "digest": {
            "length": 398.0,
            "function_hash": "163265728753948791747599582910490847098"
        },
        "id": "CVE-2024-57878-9f037d9f"
    },
    {
        "signature_type": "Function",
        "deprecated": false,
        "signature_version": "v1",
        "target": {
            "file": "arch/arm64/kernel/ptrace.c",
            "function": "fpmr_set"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f5d71291841aecfe5d8435da2dfa7f58ccd18bc8",
        "digest": {
            "length": 398.0,
            "function_hash": "163265728753948791747599582910490847098"
        },
        "id": "CVE-2024-57878-b59dd55c"
    },
    {
        "signature_type": "Line",
        "deprecated": false,
        "signature_version": "v1",
        "target": {
            "file": "arch/arm64/kernel/ptrace.c"
        },
        "source": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git@f5d71291841aecfe5d8435da2dfa7f58ccd18bc8",
        "digest": {
            "line_hashes": [
                "85678792937530487241594614626280916590",
                "30646253045294887539164721217463491484",
                "302703693188505980251779644764950892288"
            ],
            "threshold": 0.9
        },
        "id": "CVE-2024-57878-f4a00c70"
    }
]

Linux / Kernel

Package

Name
Kernel

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.9.0
Fixed
6.12.5