DEBIAN-CVE-2024-35871
- Source
- https://security-tracker.debian.org/tracker/CVE-2024-35871
- Import Source
- https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2024-35871.json
- JSON Data
- https://api.osv.dev/v1/vulns/DEBIAN-CVE-2024-35871
- Upstream
- Published
- 2024-05-19T09:15:08Z
- Modified
- 2025-09-30T05:18:23.847710Z
- Summary
- [none]
- Details
-
In the Linux kernel, the following vulnerability has been resolved: riscv: process: Fix kernel gp leakage childregs represents the registers which are active for the new thread in user context. For a kernel thread, childregs->gp is never used since the kernel gp is not touched by switchto. For a user mode helper, the gp value can be observed in user space after execve or possibly by other means. [From the email thread] The /* Kernel thread */ comment is somewhat inaccurate in that it is also used for usermodehelper threads, which exec a user process, e.g. /sbin/init or when /proc/sys/kernel/corepattern is a pipe. Such threads do not have PFKTHREAD set and are valid targets for ptrace etc. even before they exec. childregs is the *user* context during syscall execution and it is observable from userspace in at least five ways: 1. kernelexecve does not currently clear integer registers, so the starting register state for PID 1 and other user processes started by the kernel has sp = user stack, gp = kernel _globalpointer$, all other integer registers zeroed by the memset in the patch comment. This is a bug in its own right, but I'm unwilling to bet that it is the only way to exploit the issue addressed by this patch. 2. ptrace(PTRACEGETREGSET): you can PTRACEATTACH to a usermodehelper thread before it execs, but ptrace requires SIGSTOP to be delivered which can only happen at user/kernel boundaries. 3. /proc//task//syscall: this is perfectly happy to read ptregs for usermodehelpers before the exec completes, but gp is not one of the registers it returns. 4. PERFSAMPLEREGSUSER: LOCKDOWNPERF normally prevents access to kernel addresses via PERFSAMPLEREGSINTR, but due to this bug kernel addresses are also exposed via PERFSAMPLEREGSUSER which is permitted under LOCKDOWNPERF. I have not attempted to write exploit code. 5. Much of the tracing infrastructure allows access to user registers. I have not attempted to determine which forms of tracing allow access to user registers without already allowing access to kernel registers.
- References
Affected packages
Debian:11 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed5.10.216-1
Affected versions
5.*
Debian:12 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed6.1.85-1
Debian:13 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source
Debian:14 / linux
Package
- Name
- linux
- Purl
- pkg:deb/debian/linux?arch=source