CVE-2024-57877

{"id": "CVE-2024-57877", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 4.2, "exploitabilityScore": 1.8}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 4.2, "exploitabilityScore": 1.8}]}, "published": "2025-01-11T15:15:08.063", "references": [{"url": "https://git.kernel.org/stable/c/4105dd76bc8ad6529d47157ef0565cb84ca6676c", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/594bfc4947c4fcabba1318d8384c61a29a6b89fb", "tags": ["Patch"], "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-908"}]}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-908"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: ptrace: fix partial SETREGSET for NT_ARM_POE\n\nCurrently poe_set() doesn't initialize the temporary 'ctrl' variable,\nand a SETREGSET call with a length of zero will leave this\nuninitialized. Consequently an arbitrary value will be written back to\ntarget->thread.por_el0, potentially leaking up to 64 bits of memory from\nthe kernel stack. The read is limited to a specific slot on the stack,\nand the issue does not provide a write mechanism.\n\nFix this by initializing the temporary value before copying the regset\nfrom userspace, as for other regsets (e.g. NT_PRSTATUS, NT_PRFPREG,\nNT_ARM_SYSTEM_CALL). In the case of a zero-length write, the existing\ncontents of POR_EL1 will be retained.\n\nBefore this patch:\n\n| # ./poe-test\n| Attempting to write NT_ARM_POE::por_el0 = 0x900d900d900d900d\n| SETREGSET(nt=0x40f, len=8) wrote 8 bytes\n|\n| Attempting to read NT_ARM_POE::por_el0\n| GETREGSET(nt=0x40f, len=8) read 8 bytes\n| Read NT_ARM_POE::por_el0 = 0x900d900d900d900d\n|\n| Attempting to write NT_ARM_POE (zero length)\n| SETREGSET(nt=0x40f, len=0) wrote 0 bytes\n|\n| Attempting to read NT_ARM_POE::por_el0\n| GETREGSET(nt=0x40f, len=8) read 8 bytes\n| Read NT_ARM_POE::por_el0 = 0xffff8000839c3d50\n\nAfter this patch:\n\n| # ./poe-test\n| Attempting to write NT_ARM_POE::por_el0 = 0x900d900d900d900d\n| SETREGSET(nt=0x40f, len=8) wrote 8 bytes\n|\n| Attempting to read NT_ARM_POE::por_el0\n| GETREGSET(nt=0x40f, len=8) read 8 bytes\n| Read NT_ARM_POE::por_el0 = 0x900d900d900d900d\n|\n| Attempting to write NT_ARM_POE (zero length)\n| SETREGSET(nt=0x40f, len=0) wrote 0 bytes\n|\n| Attempting to read NT_ARM_POE::por_el0\n| GETREGSET(nt=0x40f, len=8) read 8 bytes\n| Read NT_ARM_POE::por_el0 = 0x900d900d900d900d"}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: arm64: ptrace: correcci\u00f3n de SETREGSET parcial para NT_ARM_POE Actualmente, poe_set() no inicializa la variable temporal 'ctrl', y una llamada a SETREGSET con una longitud de cero la dejar\u00e1 sin inicializar. En consecuencia, se volver\u00e1 a escribir un valor arbitrario en target->thread.por_el0, lo que podr\u00eda provocar una fuga de hasta 64 bits de memoria de la pila del kernel. La lectura est\u00e1 limitada a una ranura espec\u00edfica en la pila, y el problema no proporciona un mecanismo de escritura. Corrija esto inicializando el valor temporal antes de copiar el conjunto de registros desde el espacio de usuario, como para otros conjuntos de registros (por ejemplo, NT_PRSTATUS, NT_PRFPREG, NT_ARM_SYSTEM_CALL). En el caso de una escritura de longitud cero, se conservar\u00e1n los contenidos existentes de POR_EL1. Antes de este parche: | # ./poe-test | Intentando escribir NT_ARM_POE::por_el0 = 0x900d900d900d900d | SETREGSET(nt=0x40f, len=8) escribi\u00f3 8 bytes | | Intentando leer NT_ARM_POE::por_el0 | GETREGSET(nt=0x40f, len=8) ley\u00f3 8 bytes | Le\u00eddo NT_ARM_POE::por_el0 = 0x900d900d900d900d | | Intentando escribir NT_ARM_POE (longitud cero) | SETREGSET(nt=0x40f, len=0) escribi\u00f3 0 bytes | | Intentando leer NT_ARM_POE::por_el0 | GETREGSET(nt=0x40f, len=8) ley\u00f3 8 bytes | Leer NT_ARM_POE::por_el0 = 0xffff8000839c3d50 Despu\u00e9s de este parche: | # ./poe-test | Intentando escribir NT_ARM_POE::por_el0 = 0x900d900d900d900d | SETREGSET(nt=0x40f, len=8) escribi\u00f3 8 bytes | | Intentando leer NT_ARM_POE::por_el0 | GETREGSET(nt=0x40f, len=8) ley\u00f3 8 bytes | Leer NT_ARM_POE::por_el0 = 0x900d900d900d900d | | Intentando escribir NT_ARM_POE (longitud cero) | SETREGSET(nt=0x40f, len=0) escribi\u00f3 0 bytes | | Intentando leer NT_ARM_POE::por_el0 | GETREGSET(nt=0x40f, len=8) leer 8 bytes | Leer NT_ARM_POE::por_el0 = 0x900d900d900d900d"}], "lastModified": "2025-10-01T20:17:59.150", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2AF25791-E5D9-498F-AEA3-261AE0D30C3C", "versionEndExcluding": "6.12.5", "versionStartIncluding": "6.12"}, {"criteria": "cpe:2.3:o:linux:linux_kernel:6.13:rc1:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "62567B3C-6CEE-46D0-BC2E-B3717FBF7D13"}], "operator": "OR"}]}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}