CVE-2024-57878

{"id": "CVE-2024-57878", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 4.2, "exploitabilityScore": 1.8}]}, "published": "2025-01-11T15:15:08.190", "references": [{"url": "https://git.kernel.org/stable/c/8ab73c34e3c5b580721696665eabd799346bc50b", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/f5d71291841aecfe5d8435da2dfa7f58ccd18bc8", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-908"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: ptrace: fix partial SETREGSET for NT_ARM_FPMR\n\nCurrently fpmr_set() doesn't initialize the temporary 'fpmr' variable,\nand a SETREGSET call with a length of zero will leave this\nuninitialized. Consequently an arbitrary value will be written back to\ntarget->thread.uw.fpmr, potentially leaking up to 64 bits of memory from\nthe kernel stack. The read is limited to a specific slot on the stack,\nand the issue does not provide a write mechanism.\n\nFix this by initializing the temporary value before copying the regset\nfrom userspace, as for other regsets (e.g. NT_PRSTATUS, NT_PRFPREG,\nNT_ARM_SYSTEM_CALL). In the case of a zero-length write, the existing\ncontents of FPMR will be retained.\n\nBefore this patch:\n\n| # ./fpmr-test\n| Attempting to write NT_ARM_FPMR::fpmr = 0x900d900d900d900d\n| SETREGSET(nt=0x40e, len=8) wrote 8 bytes\n|\n| Attempting to read NT_ARM_FPMR::fpmr\n| GETREGSET(nt=0x40e, len=8) read 8 bytes\n| Read NT_ARM_FPMR::fpmr = 0x900d900d900d900d\n|\n| Attempting to write NT_ARM_FPMR (zero length)\n| SETREGSET(nt=0x40e, len=0) wrote 0 bytes\n|\n| Attempting to read NT_ARM_FPMR::fpmr\n| GETREGSET(nt=0x40e, len=8) read 8 bytes\n| Read NT_ARM_FPMR::fpmr = 0xffff800083963d50\n\nAfter this patch:\n\n| # ./fpmr-test\n| Attempting to write NT_ARM_FPMR::fpmr = 0x900d900d900d900d\n| SETREGSET(nt=0x40e, len=8) wrote 8 bytes\n|\n| Attempting to read NT_ARM_FPMR::fpmr\n| GETREGSET(nt=0x40e, len=8) read 8 bytes\n| Read NT_ARM_FPMR::fpmr = 0x900d900d900d900d\n|\n| Attempting to write NT_ARM_FPMR (zero length)\n| SETREGSET(nt=0x40e, len=0) wrote 0 bytes\n|\n| Attempting to read NT_ARM_FPMR::fpmr\n| GETREGSET(nt=0x40e, len=8) read 8 bytes\n| Read NT_ARM_FPMR::fpmr = 0x900d900d900d900d"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: arm64: ptrace: correcci\u00f3n de SETREGSET parcial para NT_ARM_FPMR Actualmente, fpmr_set() no inicializa la variable temporal 'fpmr', y una llamada a SETREGSET con una longitud de cero la dejar\u00e1 sin inicializar. En consecuencia, se volver\u00e1 a escribir un valor arbitrario en target->thread.uw.fpmr, lo que podr\u00eda provocar una p\u00e9rdida de hasta 64 bits de memoria de la pila del kernel. La lectura est\u00e1 limitada a una ranura espec\u00edfica en la pila, y el problema no proporciona un mecanismo de escritura. Corrija esto inicializando el valor temporal antes de copiar el conjunto de registros desde el espacio de usuario, como para otros conjuntos de registros (por ejemplo, NT_PRSTATUS, NT_PRFPREG, NT_ARM_SYSTEM_CALL). En el caso de una escritura de longitud cero, se conservar\u00e1n los contenidos existentes de FPMR. Antes de este parche: | # ./fpmr-test | Intentando escribir NT_ARM_FPMR::fpmr = 0x900d900d900d900d | SETREGSET(nt=0x40e, len=8) escribi\u00f3 8 bytes | | Intentando leer NT_ARM_FPMR::fpmr | GETREGSET(nt=0x40e, len=8) ley\u00f3 8 bytes | Le\u00eddo NT_ARM_FPMR::fpmr = 0x900d900d900d900d | | Intentando escribir NT_ARM_FPMR (longitud cero) | SETREGSET(nt=0x40e, len=0) escribi\u00f3 0 bytes | | Intentando leer NT_ARM_FPMR::fpmr | GETREGSET(nt=0x40e, len=8) ley\u00f3 8 bytes | Leer NT_ARM_FPMR::fpmr = 0xffff800083963d50 Despu\u00e9s de este parche: | # ./fpmr-test | Intentando escribir NT_ARM_FPMR::fpmr = 0x900d900d900d900d | SETREGSET(nt=0x40e, len=8) escribi\u00f3 8 bytes | | Intentando leer NT_ARM_FPMR::fpmr | GETREGSET(nt=0x40e, len=8) ley\u00f3 8 bytes | Leer NT_ARM_FPMR::fpmr = 0x900d900d900d900d | | Intentando escribir NT_ARM_FPMR (longitud cero) | SETREGSET(nt=0x40e, len=0) escribi\u00f3 0 bytes | | Intentando leer NT_ARM_FPMR::fpmr | GETREGSET(nt=0x40e, len=8) leer 8 bytes | Leer NT_ARM_FPMR::fpmr = 0x900d900d900d900d"}], "lastModified": "2025-02-03T14:58:14.423", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EF8BDA69-3016-4248-8055-EA7662336040", "versionEndExcluding": "6.12.5", "versionStartIncluding": "6.9"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "62567B3C-6CEE-46D0-BC2E-B3717FBF7D13"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}