Updated:
Description:
In the Linux kernel, the following vulnerability has been resolved: riscv: process: Fix kernel gp leakage childregs represents the registers which are active for the new thread in user context. For a kernel thread, childregs->gp is never used since the kernel gp is not touched by switch_to. For a user mode helper, the gp value can be observed in user space after execve or possibly by other means. [From the email thread] The /* Kernel thread */ comment is somewhat inaccurate in that it is also used for user_mode_helper threads, which exec a user process, e.g. /sbin/init or when /proc/sys/kernel/core_pattern is a pipe. Such threads do not have PF_KTHREAD set and are valid targets for ptrace etc. even before they exec. childregs is the *user* context during syscall execution and it is observable from userspace in at least five ways: 1. kernel_execve does not currently clear integer registers, so the starting register state for PID 1 and other user processes started by the kernel has sp = user stack, gp = kernel __global_pointer$, all other integer registers zeroed by the memset in the patch comment. This is a bug in its own right, but I'm unwilling to bet that it is the only way to exploit the issue addressed by this patch. 2. ptrace(PTRACE_GETREGSET): you can PTRACE_ATTACH to a user_mode_helper thread before it execs, but ptrace requires SIGSTOP to be delivered which can only happen at user/kernel boundaries. 3. /proc/*/task/*/syscall: this is perfectly happy to read pt_regs for user_mode_helpers before the exec completes, but gp is not one of the registers it returns. 4. PERF_SAMPLE_REGS_USER: LOCKDOWN_PERF normally prevents access to kernel addresses via PERF_SAMPLE_REGS_INTR, but due to this bug kernel addresses are also exposed via PERF_SAMPLE_REGS_USER which is permitted under LOCKDOWN_PERF. I have not attempted to write exploit code. 5. Much of the tracing infrastructure allows access to user registers. I have not attempted to determine which forms of tracing allow access to user registers without already allowing access to kernel registers.
CVSS3: 5.5
| OS | Vendor version | Errata |
|---|---|---|
| Ubuntu 22.04 | 5.15.0-116.126 | USN-6898-1 |
| Ubuntu 22.04 AWS | 5.15.0-1065.71 | USN-6898-3 |
| Ubuntu 22.04 Azure | 5.15.0-1068.77 | USN-6917-1 |
| Ubuntu 20.04 HWE Azure | 5.15.0-1068.77~20.04.1 | USN-6917-1 |
| Ubuntu 24.04 | 6.8.0-38.38 | USN-6893-1 |
| OS | Original kernel version | State |
|---|---|---|
| Ubuntu 22.04 |
5.15.0-27.28
show all
hide all
5.15.0-33.34
5.15.0-37.39
5.15.0-39.42
5.15.0-25.25
5.15.0-28.29
5.15.0-29.30
5.15.0-30.31
5.15.0-41.44
5.15.0-43.46
5.15.0-46.49
5.15.0-35.36
5.15.0-47.51
5.15.0-48.54
5.15.0-40.43
5.15.0-50.56
5.15.0-52.58
5.15.0-53.59
5.15.0-56.62
5.15.0-54.60
5.15.0-57.63
5.15.0-58.64
5.15.0-60.66
5.15.0-67.74
5.15.0-69.76
5.15.0-70.77
5.15.0-71.78
5.15.0-72.79
5.15.0-68.75
5.15.0-73.80
5.15.0-75.82
5.15.0-76.83
5.15.0-78.85
5.15.0-79.86
5.15.0-82.91
5.15.0-83.92
5.15.0-84.93
5.15.0-86.96
5.15.0-74.81
5.15.0-87.97
5.15.0-88.98
5.15.0-89.99
5.15.0-91.101
5.15.0-92.102
5.15.0-94.104
5.15.0-97.107
5.15.0-100.110
5.15.0-101.111
5.15.0-102.112
5.15.0-105.115
5.15.0-106.116
5.15.0-107.117
5.15.0-112.122
5.15.0-113.123
|
Will Not Fix |
| Ubuntu 22.04 AWS |
5.15.0-1005.7
show all
hide all
5.15.0-1008.10
5.15.0-1011.14
5.15.0-1013.17
5.15.0-1015.19
5.15.0-1017.21
5.15.0-1009.11
5.15.0-1020.24
5.15.0-1021.25
5.15.0-1022.26
5.15.0-1023.27
5.15.0-1026.30
5.15.0-1004.6
5.15.0-1014.18
5.15.0-1018.22
5.15.0-1024.29
5.15.0-1027.31
5.15.0-1028.32
5.15.0-1030.34
5.15.0-1031.35
5.15.0-1033.37
5.15.0-1034.38
5.15.0-1035.39
5.15.0-1036.40
5.15.0-1032.36
5.15.0-1037.41
5.15.0-1038.43
5.15.0-1039.44
5.15.0-1040.45
5.15.0-1042.47
5.15.0-1043.48
5.15.0-1044.49
5.15.0-1045.50
5.15.0-1047.52
5.15.0-1048.53
5.15.0-1049.54
5.15.0-1050.55
5.15.0-1051.56
5.15.0-1052.57
5.15.0-1053.58
5.15.0-1055.60
5.15.0-1056.61
5.15.0-1057.63
5.15.0-1060.66
5.15.0-1061.67
5.15.0-1062.68
5.15.0-1063.69
5.15.0-1064.70
|
Will Not Fix |
| Ubuntu 22.04 Azure |
5.15.0-1005.6
show all
hide all
5.15.0-1007.8
5.15.0-1010.12
5.15.0-1012.15
5.15.0-1014.17
5.15.0-1017.20
5.15.0-1008.9
5.15.0-1019.24
5.15.0-1020.25
5.15.0-1021.26
5.15.0-1022.27
5.15.0-1003.4
5.15.0-1013.16
5.15.0-1023.29
5.15.0-1029.36
5.15.0-1024.30
5.15.0-1034.41
5.15.0-1035.42
5.15.0-1036.43
5.15.0-1037.44
5.15.0-1038.45
5.15.0-1039.46
5.15.0-1040.47
5.15.0-1041.48
5.15.0-1042.49
5.15.0-1045.52
5.15.0-1046.53
5.15.0-1047.54
5.15.0-1049.56
5.15.0-1044.51
5.15.0-1050.57
5.15.0-1051.59
5.15.0-1052.60
5.15.0-1053.61
5.15.0-1054.62
5.15.0-1056.64
5.15.0-1057.65
5.15.0-1058.66
5.15.0-1059.67
5.15.0-1060.69
5.15.0-1061.70
5.15.0-1063.72
5.15.0-1064.73
5.15.0-1066.75
5.15.0-1067.76
|
Will Not Fix |
| Ubuntu 20.04 HWE Azure |
5.15.0-1029.36~20.04.1
show all
hide all
5.15.0-1022.27~20.04.1
5.15.0-1023.29~20.04.1
5.15.0-1021.26~20.04.1
5.15.0-1020.25~20.04.1
5.15.0-1017.20~20.04.1
5.15.0-1019.24~20.04.1
5.15.0-1008.9~20.04.1
5.15.0-1013.16~20.04.1
5.15.0-1014.17~20.04.1
5.15.0-1024.30~20.04.1
5.15.0-1034.41~20.04.1
5.15.0-1049.56~20.04.1
5.15.0-1050.57~20.04.1
5.15.0-1054.62~20.04.1
5.15.0-1056.64~20.04.1
5.15.0-1057.65~20.04.1
5.15.0-1058.66~20.04.2
5.15.0-1059.67~20.04.1
5.15.0-1060.69~20.04.1
5.15.0-1061.70~20.04.1
5.15.0-1063.72~20.04.1
5.15.0-1064.73~20.04.1
5.15.0-1067.76~20.04.1
5.15.0-1065.74~20.04.1
|
Will Not Fix |
| Ubuntu 24.04 | |
Planned |