vulnerability

Ubuntu: (Multiple Advisories) (CVE-2024-35871): Linux kernel vulnerabilities

Try Surface Command
Back to search
Severity
6
CVSS
(AV:L/AC:L/Au:S/C:C/I:N/A:C)
Published
May 19, 2024
Added
Jul 12, 2024
Modified
Jan 26, 2026

Description

In the Linux kernel, the following vulnerability has been resolved:

riscv: process: Fix kernel gp leakage

childregs represents the registers which are active for the new thread
in user context. For a kernel thread, childregs->gp is never used since
the kernel gp is not touched by switch_to. For a user mode helper, the
gp value can be observed in user space after execve or possibly by other
means.

[From the email thread]

The /* Kernel thread */ comment is somewhat inaccurate in that it is also used
for user_mode_helper threads, which exec a user process, e.g. /sbin/init or
when /proc/sys/kernel/core_pattern is a pipe. Such threads do not have
PF_KTHREAD set and are valid targets for ptrace etc. even before they exec.

childregs is the *user* context during syscall execution and it is observable
from userspace in at least five ways:

1. kernel_execve does not currently clear integer registers, so the starting
register state for PID 1 and other user processes started by the kernel has
sp = user stack, gp = kernel __global_pointer$, all other integer registers
zeroed by the memset in the patch comment.

This is a bug in its own right, but I'm unwilling to bet that it is the only
way to exploit the issue addressed by this patch.

2. ptrace(PTRACE_GETREGSET): you can PTRACE_ATTACH to a user_mode_helper thread
before it execs, but ptrace requires SIGSTOP to be delivered which can only
happen at user/kernel boundaries.

3. /proc/*/task/*/syscall: this is perfectly happy to read pt_regs for
user_mode_helpers before the exec completes, but gp is not one of the
registers it returns.

4. PERF_SAMPLE_REGS_USER: LOCKDOWN_PERF normally prevents access to kernel
addresses via PERF_SAMPLE_REGS_INTR, but due to this bug kernel addresses
are also exposed via PERF_SAMPLE_REGS_USER which is permitted under
LOCKDOWN_PERF. I have not attempted to write exploit code.

5. Much of the tracing infrastructure allows access to user registers. I have
not attempted to determine which forms of tracing allow access to user
registers without already allowing access to kernel registers.

Solutions

ubuntu-upgrade-linux-image-5-15-0-1035-xilinx-zynqmpubuntu-upgrade-linux-image-5-15-0-1048-gkeopubuntu-upgrade-linux-image-5-15-0-1058-ibmubuntu-upgrade-linux-image-5-15-0-1058-raspiubuntu-upgrade-linux-image-5-15-0-1060-intel-iotgubuntu-upgrade-linux-image-5-15-0-1060-nvidiaubuntu-upgrade-linux-image-5-15-0-1060-nvidia-lowlatencyubuntu-upgrade-linux-image-5-15-0-1062-gkeubuntu-upgrade-linux-image-5-15-0-1062-kvmubuntu-upgrade-linux-image-5-15-0-1063-oracleubuntu-upgrade-linux-image-5-15-0-1064-gcpubuntu-upgrade-linux-image-5-15-0-1065-awsubuntu-upgrade-linux-image-5-15-0-1065-gcpubuntu-upgrade-linux-image-5-15-0-1068-azureubuntu-upgrade-linux-image-5-15-0-1068-azure-fdeubuntu-upgrade-linux-image-5-15-0-116-genericubuntu-upgrade-linux-image-5-15-0-116-generic-64kubuntu-upgrade-linux-image-5-15-0-116-generic-lpaeubuntu-upgrade-linux-image-5-15-0-116-lowlatencyubuntu-upgrade-linux-image-5-15-0-116-lowlatency-64kubuntu-upgrade-linux-image-6-8-0-1006-gkeubuntu-upgrade-linux-image-6-8-0-1007-intelubuntu-upgrade-linux-image-6-8-0-1007-raspiubuntu-upgrade-linux-image-6-8-0-1008-ibmubuntu-upgrade-linux-image-6-8-0-1008-oemubuntu-upgrade-linux-image-6-8-0-1008-oracleubuntu-upgrade-linux-image-6-8-0-1008-oracle-64kubuntu-upgrade-linux-image-6-8-0-1009-nvidiaubuntu-upgrade-linux-image-6-8-0-1009-nvidia-64kubuntu-upgrade-linux-image-6-8-0-1010-azureubuntu-upgrade-linux-image-6-8-0-1010-azure-fdeubuntu-upgrade-linux-image-6-8-0-1010-gcpubuntu-upgrade-linux-image-6-8-0-1011-awsubuntu-upgrade-linux-image-6-8-0-38-genericubuntu-upgrade-linux-image-6-8-0-38-generic-64kubuntu-upgrade-linux-image-6-8-0-38-lowlatencyubuntu-upgrade-linux-image-6-8-0-38-lowlatency-64kubuntu-upgrade-linux-image-awsubuntu-upgrade-linux-image-aws-lts-22-04ubuntu-upgrade-linux-image-azureubuntu-upgrade-linux-image-azure-cvmubuntu-upgrade-linux-image-azure-fdeubuntu-upgrade-linux-image-azure-fde-lts-22-04ubuntu-upgrade-linux-image-azure-lts-22-04ubuntu-upgrade-linux-image-gcpubuntu-upgrade-linux-image-gcp-lts-22-04ubuntu-upgrade-linux-image-genericubuntu-upgrade-linux-image-generic-64kubuntu-upgrade-linux-image-generic-64k-hwe-20-04ubuntu-upgrade-linux-image-generic-64k-hwe-24-04ubuntu-upgrade-linux-image-generic-hwe-20-04ubuntu-upgrade-linux-image-generic-hwe-24-04ubuntu-upgrade-linux-image-generic-lpaeubuntu-upgrade-linux-image-generic-lpae-hwe-20-04ubuntu-upgrade-linux-image-gkeubuntu-upgrade-linux-image-gke-5-15ubuntu-upgrade-linux-image-gkeopubuntu-upgrade-linux-image-gkeop-5-15ubuntu-upgrade-linux-image-ibmubuntu-upgrade-linux-image-ibm-classicubuntu-upgrade-linux-image-ibm-lts-24-04ubuntu-upgrade-linux-image-intelubuntu-upgrade-linux-image-intel-iotgubuntu-upgrade-linux-image-kvmubuntu-upgrade-linux-image-lowlatencyubuntu-upgrade-linux-image-lowlatency-64kubuntu-upgrade-linux-image-lowlatency-64k-hwe-20-04ubuntu-upgrade-linux-image-lowlatency-hwe-20-04ubuntu-upgrade-linux-image-nvidiaubuntu-upgrade-linux-image-nvidia-64kubuntu-upgrade-linux-image-nvidia-lowlatencyubuntu-upgrade-linux-image-oem-20-04ubuntu-upgrade-linux-image-oem-20-04bubuntu-upgrade-linux-image-oem-20-04cubuntu-upgrade-linux-image-oem-20-04dubuntu-upgrade-linux-image-oem-24-04ubuntu-upgrade-linux-image-oem-24-04aubuntu-upgrade-linux-image-oracleubuntu-upgrade-linux-image-oracle-64kubuntu-upgrade-linux-image-oracle-lts-22-04ubuntu-upgrade-linux-image-raspiubuntu-upgrade-linux-image-raspi-nolpaeubuntu-upgrade-linux-image-virtualubuntu-upgrade-linux-image-virtual-hwe-20-04ubuntu-upgrade-linux-image-virtual-hwe-24-04ubuntu-upgrade-linux-image-xilinx-zynqmp

References

    Title
    NEW

    Explore Exposure Command

    Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

    Try it today