cve-2024-35873
Vulnerability from cvelistv5
Published
2024-05-19 08:34
Modified
2024-11-05 09:24
Severity ?
Summary
riscv: Fix vector state restore in rt_sigreturn()
Impacted products
Vendor Product Version
Linux Linux Version: 6.8
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T03:21:48.544Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/5b16d904e910183181b9d90efa957c787a8ac91b"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/c27fa53b858b4ee6552a719aa599c250cf98a586"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-35873",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-10T15:41:17.685102Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-11T17:33:16.751Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/riscv/kernel/signal.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "5b16d904e910",
              "status": "affected",
              "version": "c2a658d41924",
              "versionType": "git"
            },
            {
              "lessThan": "c27fa53b858b",
              "status": "affected",
              "version": "c2a658d41924",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/riscv/kernel/signal.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.8"
            },
            {
              "lessThan": "6.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.8.*",
              "status": "unaffected",
              "version": "6.8.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.9",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: Fix vector state restore in rt_sigreturn()\n\nThe RISC-V Vector specification states in \"Appendix D: Calling\nConvention for Vector State\" [1] that \"Executing a system call causes\nall caller-saved vector registers (v0-v31, vl, vtype) and vstart to\nbecome unspecified.\". In the RISC-V kernel this is called \"discarding\nthe vstate\".\n\nReturning from a signal handler via the rt_sigreturn() syscall, vector\ndiscard is also performed. However, this is not an issue since the\nvector state should be restored from the sigcontext, and therefore not\ncare about the vector discard.\n\nThe \"live state\" is the actual vector register in the running context,\nand the \"vstate\" is the vector state of the task. A dirty live state,\nmeans that the vstate and live state are not in synch.\n\nWhen vectorized user_from_copy() was introduced, an bug sneaked in at\nthe restoration code, related to the discard of the live state.\n\nAn example when this go wrong:\n\n  1. A userland application is executing vector code\n  2. The application receives a signal, and the signal handler is\n     entered.\n  3. The application returns from the signal handler, using the\n     rt_sigreturn() syscall.\n  4. The live vector state is discarded upon entering the\n     rt_sigreturn(), and the live state is marked as \"dirty\", indicating\n     that the live state need to be synchronized with the current\n     vstate.\n  5. rt_sigreturn() restores the vstate, except the Vector registers,\n     from the sigcontext\n  6. rt_sigreturn() restores the Vector registers, from the sigcontext,\n     and now the vectorized user_from_copy() is used. The dirty live\n     state from the discard is saved to the vstate, making the vstate\n     corrupt.\n  7. rt_sigreturn() returns to the application, which crashes due to\n     corrupted vstate.\n\nNote that the vectorized user_from_copy() is invoked depending on the\nvalue of CONFIG_RISCV_ISA_V_UCOPY_THRESHOLD. Default is 768, which\nmeans that vlen has to be larger than 128b for this bug to trigger.\n\nThe fix is simply to mark the live state as non-dirty/clean prior\nperforming the vstate restore."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-05T09:24:15.146Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/5b16d904e910183181b9d90efa957c787a8ac91b"
        },
        {
          "url": "https://git.kernel.org/stable/c/c27fa53b858b4ee6552a719aa599c250cf98a586"
        }
      ],
      "title": "riscv: Fix vector state restore in rt_sigreturn()",
      "x_generator": {
        "engine": "bippy-9e1c9544281a"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-35873",
    "datePublished": "2024-05-19T08:34:30.928Z",
    "dateReserved": "2024-05-17T13:50:33.108Z",
    "dateUpdated": "2024-11-05T09:24:15.146Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-35873\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-05-19T09:15:08.687\",\"lastModified\":\"2024-05-20T13:00:04.957\",\"vulnStatus\":\"Awaiting Analysis\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\nriscv: Fix vector state restore in rt_sigreturn()\\n\\nThe RISC-V Vector specification states in \\\"Appendix D: Calling\\nConvention for Vector State\\\" [1] that \\\"Executing a system call causes\\nall caller-saved vector registers (v0-v31, vl, vtype) and vstart to\\nbecome unspecified.\\\". In the RISC-V kernel this is called \\\"discarding\\nthe vstate\\\".\\n\\nReturning from a signal handler via the rt_sigreturn() syscall, vector\\ndiscard is also performed. However, this is not an issue since the\\nvector state should be restored from the sigcontext, and therefore not\\ncare about the vector discard.\\n\\nThe \\\"live state\\\" is the actual vector register in the running context,\\nand the \\\"vstate\\\" is the vector state of the task. A dirty live state,\\nmeans that the vstate and live state are not in synch.\\n\\nWhen vectorized user_from_copy() was introduced, an bug sneaked in at\\nthe restoration code, related to the discard of the live state.\\n\\nAn example when this go wrong:\\n\\n  1. A userland application is executing vector code\\n  2. The application receives a signal, and the signal handler is\\n     entered.\\n  3. The application returns from the signal handler, using the\\n     rt_sigreturn() syscall.\\n  4. The live vector state is discarded upon entering the\\n     rt_sigreturn(), and the live state is marked as \\\"dirty\\\", indicating\\n     that the live state need to be synchronized with the current\\n     vstate.\\n  5. rt_sigreturn() restores the vstate, except the Vector registers,\\n     from the sigcontext\\n  6. rt_sigreturn() restores the Vector registers, from the sigcontext,\\n     and now the vectorized user_from_copy() is used. The dirty live\\n     state from the discard is saved to the vstate, making the vstate\\n     corrupt.\\n  7. rt_sigreturn() returns to the application, which crashes due to\\n     corrupted vstate.\\n\\nNote that the vectorized user_from_copy() is invoked depending on the\\nvalue of CONFIG_RISCV_ISA_V_UCOPY_THRESHOLD. Default is 768, which\\nmeans that vlen has to be larger than 128b for this bug to trigger.\\n\\nThe fix is simply to mark the live state as non-dirty/clean prior\\nperforming the vstate restore.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: riscv: corrige la restauraci\u00f3n del estado del vector en rt_sigreturn() La especificaci\u00f3n del vector RISC-V indica en el \\\"Ap\u00e9ndice D: Llamando convenci\u00f3n por el estado del vector\\\" [1] que \\\"La ejecuci\u00f3n de una llamada al sistema causa todos los registros vectoriales guardados por la persona que llama (v0-v31, vl, vtype) y vstart quedar\u00e1n sin especificar\\\". En el kernel RISC-V, esto se denomina \\\"descartar el vstate\\\". Al regresar de un controlador de se\u00f1ales a trav\u00e9s de la llamada al sistema rt_sigreturn(), tambi\u00e9n se realiza el descarte de vectores. Sin embargo, esto no es un problema ya que el estado del vector debe restaurarse desde el contexto de se\u00f1al y, por lo tanto, no preocuparse por el descarte del vector. El \\\"estado en vivo\\\" es el registro vectorial real en el contexto de ejecuci\u00f3n, y el \\\"vstate\\\" es el estado vectorial de la tarea. Un estado en vivo sucio significa que el vstate y el estado en vivo no est\u00e1n sincronizados. Cuando se introdujo user_from_copy() vectorizado, se col\u00f3 un error en el c\u00f3digo de restauraci\u00f3n, relacionado con el descarte del estado activo. Un ejemplo de cuando esto sale mal: 1. Una aplicaci\u00f3n de usuario est\u00e1 ejecutando c\u00f3digo vectorial. 2. La aplicaci\u00f3n recibe una se\u00f1al y se ingresa el controlador de se\u00f1ales. 3. La aplicaci\u00f3n regresa del controlador de se\u00f1ales, utilizando la llamada al sistema rt_sigreturn(). 4. El estado del vector en vivo se descarta al ingresar a rt_sigreturn() y el estado en vivo se marca como \\\"sucio\\\", lo que indica que el estado en vivo debe sincronizarse con el vstate actual. 5. rt_sigreturn() restaura el vstate, excepto los registros Vector, desde el sigcontext 6. rt_sigreturn() restaura los registros Vector, desde el sigcontext, y ahora se usa el user_from_copy() vectorizado. El estado activo sucio del descarte se guarda en el vstate, lo que hace que el vstate sea corrupto. 7. rt_sigreturn() regresa a la aplicaci\u00f3n, que falla debido a un vstate da\u00f1ado. Tenga en cuenta que el usuario_from_copy() vectorizado se invoca dependiendo del valor de CONFIG_RISCV_ISA_V_UCOPY_THRESHOLD. El valor predeterminado es 768, lo que significa que vlen debe ser mayor que 128b para que se active este error. La soluci\u00f3n es simplemente marcar el estado activo como no sucio/limpio antes de realizar la restauraci\u00f3n de vstate.\"}],\"metrics\":{},\"references\":[{\"url\":\"https://git.kernel.org/stable/c/5b16d904e910183181b9d90efa957c787a8ac91b\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"},{\"url\":\"https://git.kernel.org/stable/c/c27fa53b858b4ee6552a719aa599c250cf98a586\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.