riscv：进程：修复内核 gp 泄漏 (CVE-2024-35871)

CVE编号

CVE-2024-35871

利用情况

暂无

补丁情况

N/A

披露时间

2024-05-19

漏洞描述

In the Linux kernel, the following vulnerability has been resolved: riscv: process: Fix kernel gp leakage childregs represents the registers which are active for the new thread in user context. For a kernel thread, childregs->gp is never used since the kernel gp is not touched by switch_to. For a user mode helper, the gp value can be observed in user space after execve or possibly by other means. [From the email thread] The /* Kernel thread */ comment is somewhat inaccurate in that it is also used for user_mode_helper threads, which exec a user process, e.g. /sbin/init or when /proc/sys/kernel/core_pattern is a pipe. Such threads do not have PF_KTHREAD set and are valid targets for ptrace etc. even before they exec. childregs is the *user* context during syscall execution and it is observable from userspace in at least five ways: 1. kernel_execve does not currently clear integer registers, so the starting register state for PID 1 and other user processes started by the kernel has sp = user stack, gp = kernel __global_pointer$, all other integer registers zeroed by the memset in the patch comment. This is a bug in its own right, but I'm unwilling to bet that it is the only way to exploit the issue addressed by this patch. 2. ptrace(PTRACE_GETREGSET): you can PTRACE_ATTACH to a user_mode_helper thread before it execs, but ptrace requires SIGSTOP to be delivered which can only happen at user/kernel boundaries. 3. /proc/*/task/*/syscall: this is perfectly happy to read pt_regs for user_mode_helpers before the exec completes, but gp is not one of the registers it returns. 4. PERF_SAMPLE_REGS_USER: LOCKDOWN_PERF normally prevents access to kernel addresses via PERF_SAMPLE_REGS_INTR, but due to this bug kernel addresses are also exposed via PERF_SAMPLE_REGS_USER which is permitted under LOCKDOWN_PERF. I have not attempted to write exploit code. 5. Much of the tracing infrastructure allows access to user registers. I have not attempted to determine which forms of tracing allow access to user registers without already allowing access to kernel registers.

解决建议

建议您更新当前系统或软件至最新版，完成漏洞的修复。

参考链接
https://git.kernel.org/stable/c/00effef72c98294edb1efa87ffa0f6cfb61b36a4
https://git.kernel.org/stable/c/9abc3e6f1116adb7a2d4fbb8ce20c37916976bf5
https://git.kernel.org/stable/c/d14fa1fcf69db9d070e75f1c4425211fa619dfc8
https://git.kernel.org/stable/c/d8dcba0691b8e42bddb61aab201e4d918a08e5d9
https://git.kernel.org/stable/c/dff6072124f6df77bfd36951fbd88565746980ef
https://git.kernel.org/stable/c/f6583444d7e78dae750798552b65a2519ff3ca84

受影响软件情况

#	类型	厂商	产品	版本	影响面
1
	运行在以下环境
	系统	debian_11	linux	*		Up to (excluding) 5.10.216-1
	运行在以下环境
	系统	debian_12	linux	*		Up to (excluding) 6.1.85-1

CVSS3评分 N/A

• 攻击路径 N/A
• 攻击复杂度 N/A
• 权限要求 N/A
• 影响范围 N/A
• 用户交互 N/A
• 可用性 N/A
• 保密性 N/A
• 完整性 N/A

N/A

CWE-ID	漏洞类型

Exp相关链接

- avd.aliyun.com