CVE-2024-57878 (GCVE-0-2024-57878)
Vulnerability from cvelistv5
Published
2025-01-11 14:49
Modified
2025-05-04 10:05
Severity ?
Summary
In the Linux kernel, the following vulnerability has been resolved: arm64: ptrace: fix partial SETREGSET for NT_ARM_FPMR Currently fpmr_set() doesn't initialize the temporary 'fpmr' variable, and a SETREGSET call with a length of zero will leave this uninitialized. Consequently an arbitrary value will be written back to target->thread.uw.fpmr, potentially leaking up to 64 bits of memory from the kernel stack. The read is limited to a specific slot on the stack, and the issue does not provide a write mechanism. Fix this by initializing the temporary value before copying the regset from userspace, as for other regsets (e.g. NT_PRSTATUS, NT_PRFPREG, NT_ARM_SYSTEM_CALL). In the case of a zero-length write, the existing contents of FPMR will be retained. Before this patch: | # ./fpmr-test | Attempting to write NT_ARM_FPMR::fpmr = 0x900d900d900d900d | SETREGSET(nt=0x40e, len=8) wrote 8 bytes | | Attempting to read NT_ARM_FPMR::fpmr | GETREGSET(nt=0x40e, len=8) read 8 bytes | Read NT_ARM_FPMR::fpmr = 0x900d900d900d900d | | Attempting to write NT_ARM_FPMR (zero length) | SETREGSET(nt=0x40e, len=0) wrote 0 bytes | | Attempting to read NT_ARM_FPMR::fpmr | GETREGSET(nt=0x40e, len=8) read 8 bytes | Read NT_ARM_FPMR::fpmr = 0xffff800083963d50 After this patch: | # ./fpmr-test | Attempting to write NT_ARM_FPMR::fpmr = 0x900d900d900d900d | SETREGSET(nt=0x40e, len=8) wrote 8 bytes | | Attempting to read NT_ARM_FPMR::fpmr | GETREGSET(nt=0x40e, len=8) read 8 bytes | Read NT_ARM_FPMR::fpmr = 0x900d900d900d900d | | Attempting to write NT_ARM_FPMR (zero length) | SETREGSET(nt=0x40e, len=0) wrote 0 bytes | | Attempting to read NT_ARM_FPMR::fpmr | GETREGSET(nt=0x40e, len=8) read 8 bytes | Read NT_ARM_FPMR::fpmr = 0x900d900d900d900d
References
Impacted products
Vendor Product Version
Linux Linux Version: 4035c22ef7d43a6c00d6a6584c60e902b95b46af
Version: 4035c22ef7d43a6c00d6a6584c60e902b95b46af
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/arm64/kernel/ptrace.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "8ab73c34e3c5b580721696665eabd799346bc50b",
              "status": "affected",
              "version": "4035c22ef7d43a6c00d6a6584c60e902b95b46af",
              "versionType": "git"
            },
            {
              "lessThan": "f5d71291841aecfe5d8435da2dfa7f58ccd18bc8",
              "status": "affected",
              "version": "4035c22ef7d43a6c00d6a6584c60e902b95b46af",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/arm64/kernel/ptrace.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.9"
            },
            {
              "lessThan": "6.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.5",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: ptrace: fix partial SETREGSET for NT_ARM_FPMR\n\nCurrently fpmr_set() doesn\u0027t initialize the temporary \u0027fpmr\u0027 variable,\nand a SETREGSET call with a length of zero will leave this\nuninitialized. Consequently an arbitrary value will be written back to\ntarget-\u003ethread.uw.fpmr, potentially leaking up to 64 bits of memory from\nthe kernel stack. The read is limited to a specific slot on the stack,\nand the issue does not provide a write mechanism.\n\nFix this by initializing the temporary value before copying the regset\nfrom userspace, as for other regsets (e.g. NT_PRSTATUS, NT_PRFPREG,\nNT_ARM_SYSTEM_CALL). In the case of a zero-length write, the existing\ncontents of FPMR will be retained.\n\nBefore this patch:\n\n| # ./fpmr-test\n| Attempting to write NT_ARM_FPMR::fpmr = 0x900d900d900d900d\n| SETREGSET(nt=0x40e, len=8) wrote 8 bytes\n|\n| Attempting to read NT_ARM_FPMR::fpmr\n| GETREGSET(nt=0x40e, len=8) read 8 bytes\n| Read NT_ARM_FPMR::fpmr = 0x900d900d900d900d\n|\n| Attempting to write NT_ARM_FPMR (zero length)\n| SETREGSET(nt=0x40e, len=0) wrote 0 bytes\n|\n| Attempting to read NT_ARM_FPMR::fpmr\n| GETREGSET(nt=0x40e, len=8) read 8 bytes\n| Read NT_ARM_FPMR::fpmr = 0xffff800083963d50\n\nAfter this patch:\n\n| # ./fpmr-test\n| Attempting to write NT_ARM_FPMR::fpmr = 0x900d900d900d900d\n| SETREGSET(nt=0x40e, len=8) wrote 8 bytes\n|\n| Attempting to read NT_ARM_FPMR::fpmr\n| GETREGSET(nt=0x40e, len=8) read 8 bytes\n| Read NT_ARM_FPMR::fpmr = 0x900d900d900d900d\n|\n| Attempting to write NT_ARM_FPMR (zero length)\n| SETREGSET(nt=0x40e, len=0) wrote 0 bytes\n|\n| Attempting to read NT_ARM_FPMR::fpmr\n| GETREGSET(nt=0x40e, len=8) read 8 bytes\n| Read NT_ARM_FPMR::fpmr = 0x900d900d900d900d"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:05:41.552Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/8ab73c34e3c5b580721696665eabd799346bc50b"
        },
        {
          "url": "https://git.kernel.org/stable/c/f5d71291841aecfe5d8435da2dfa7f58ccd18bc8"
        }
      ],
      "title": "arm64: ptrace: fix partial SETREGSET for NT_ARM_FPMR",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-57878",
    "datePublished": "2025-01-11T14:49:04.088Z",
    "dateReserved": "2025-01-11T14:45:42.023Z",
    "dateUpdated": "2025-05-04T10:05:41.552Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-57878\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2025-01-11T15:15:08.190\",\"lastModified\":\"2025-02-03T14:58:14.423\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\narm64: ptrace: fix partial SETREGSET for NT_ARM_FPMR\\n\\nCurrently fpmr_set() doesn\u0027t initialize the temporary \u0027fpmr\u0027 variable,\\nand a SETREGSET call with a length of zero will leave this\\nuninitialized. Consequently an arbitrary value will be written back to\\ntarget-\u003ethread.uw.fpmr, potentially leaking up to 64 bits of memory from\\nthe kernel stack. The read is limited to a specific slot on the stack,\\nand the issue does not provide a write mechanism.\\n\\nFix this by initializing the temporary value before copying the regset\\nfrom userspace, as for other regsets (e.g. NT_PRSTATUS, NT_PRFPREG,\\nNT_ARM_SYSTEM_CALL). In the case of a zero-length write, the existing\\ncontents of FPMR will be retained.\\n\\nBefore this patch:\\n\\n| # ./fpmr-test\\n| Attempting to write NT_ARM_FPMR::fpmr = 0x900d900d900d900d\\n| SETREGSET(nt=0x40e, len=8) wrote 8 bytes\\n|\\n| Attempting to read NT_ARM_FPMR::fpmr\\n| GETREGSET(nt=0x40e, len=8) read 8 bytes\\n| Read NT_ARM_FPMR::fpmr = 0x900d900d900d900d\\n|\\n| Attempting to write NT_ARM_FPMR (zero length)\\n| SETREGSET(nt=0x40e, len=0) wrote 0 bytes\\n|\\n| Attempting to read NT_ARM_FPMR::fpmr\\n| GETREGSET(nt=0x40e, len=8) read 8 bytes\\n| Read NT_ARM_FPMR::fpmr = 0xffff800083963d50\\n\\nAfter this patch:\\n\\n| # ./fpmr-test\\n| Attempting to write NT_ARM_FPMR::fpmr = 0x900d900d900d900d\\n| SETREGSET(nt=0x40e, len=8) wrote 8 bytes\\n|\\n| Attempting to read NT_ARM_FPMR::fpmr\\n| GETREGSET(nt=0x40e, len=8) read 8 bytes\\n| Read NT_ARM_FPMR::fpmr = 0x900d900d900d900d\\n|\\n| Attempting to write NT_ARM_FPMR (zero length)\\n| SETREGSET(nt=0x40e, len=0) wrote 0 bytes\\n|\\n| Attempting to read NT_ARM_FPMR::fpmr\\n| GETREGSET(nt=0x40e, len=8) read 8 bytes\\n| Read NT_ARM_FPMR::fpmr = 0x900d900d900d900d\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: arm64: ptrace: correcci\u00f3n de SETREGSET parcial para NT_ARM_FPMR Actualmente, fpmr_set() no inicializa la variable temporal \u0027fpmr\u0027, y una llamada a SETREGSET con una longitud de cero la dejar\u00e1 sin inicializar. En consecuencia, se volver\u00e1 a escribir un valor arbitrario en target-\u0026gt;thread.uw.fpmr, lo que podr\u00eda provocar una p\u00e9rdida de hasta 64 bits de memoria de la pila del kernel. La lectura est\u00e1 limitada a una ranura espec\u00edfica en la pila, y el problema no proporciona un mecanismo de escritura. Corrija esto inicializando el valor temporal antes de copiar el conjunto de registros desde el espacio de usuario, como para otros conjuntos de registros (por ejemplo, NT_PRSTATUS, NT_PRFPREG, NT_ARM_SYSTEM_CALL). En el caso de una escritura de longitud cero, se conservar\u00e1n los contenidos existentes de FPMR. Antes de este parche: | # ./fpmr-test | Intentando escribir NT_ARM_FPMR::fpmr = 0x900d900d900d900d | SETREGSET(nt=0x40e, len=8) escribi\u00f3 8 bytes | | Intentando leer NT_ARM_FPMR::fpmr | GETREGSET(nt=0x40e, len=8) ley\u00f3 8 bytes | Le\u00eddo NT_ARM_FPMR::fpmr = 0x900d900d900d900d | | Intentando escribir NT_ARM_FPMR (longitud cero) | SETREGSET(nt=0x40e, len=0) escribi\u00f3 0 bytes | | Intentando leer NT_ARM_FPMR::fpmr | GETREGSET(nt=0x40e, len=8) ley\u00f3 8 bytes | Leer NT_ARM_FPMR::fpmr = 0xffff800083963d50 Despu\u00e9s de este parche: | # ./fpmr-test | Intentando escribir NT_ARM_FPMR::fpmr = 0x900d900d900d900d | SETREGSET(nt=0x40e, len=8) escribi\u00f3 8 bytes | | Intentando leer NT_ARM_FPMR::fpmr | GETREGSET(nt=0x40e, len=8) ley\u00f3 8 bytes | Leer NT_ARM_FPMR::fpmr = 0x900d900d900d900d | | Intentando escribir NT_ARM_FPMR (longitud cero) | SETREGSET(nt=0x40e, len=0) escribi\u00f3 0 bytes | | Intentando leer NT_ARM_FPMR::fpmr | GETREGSET(nt=0x40e, len=8) leer 8 bytes | Leer NT_ARM_FPMR::fpmr = 0x900d900d900d900d\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H\",\"baseScore\":6.1,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":4.2}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-908\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.9\",\"versionEndExcluding\":\"6.12.5\",\"matchCriteriaId\":\"EF8BDA69-3016-4248-8055-EA7662336040\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.13:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"62567B3C-6CEE-46D0-BC2E-B3717FBF7D13\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/8ab73c34e3c5b580721696665eabd799346bc50b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/f5d71291841aecfe5d8435da2dfa7f58ccd18bc8\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.