{"document":{"aggregate_severity":{"namespace":"https://www.suse.com/support/security/rating/","text":"moderate"},"category":"csaf_vex","csaf_version":"2.0","distribution":{"text":"Copyright 2024 SUSE LLC. All rights reserved.","tlp":{"label":"WHITE","url":"https://www.first.org/tlp/"}},"lang":"en","notes":[{"category":"summary","text":"SUSE CVE-2024-35871","title":"Title"},{"category":"description","text":"In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: process: Fix kernel gp leakage\n\nchildregs represents the registers which are active for the new thread\nin user context. For a kernel thread, childregs->gp is never used since\nthe kernel gp is not touched by switch_to. For a user mode helper, the\ngp value can be observed in user space after execve or possibly by other\nmeans.\n\n[From the email thread]\n\nThe /* Kernel thread */ comment is somewhat inaccurate in that it is also used\nfor user_mode_helper threads, which exec a user process, e.g. /sbin/init or\nwhen /proc/sys/kernel/core_pattern is a pipe. Such threads do not have\nPF_KTHREAD set and are valid targets for ptrace etc. even before they exec.\n\nchildregs is the *user* context during syscall execution and it is observable\nfrom userspace in at least five ways:\n\n1. kernel_execve does not currently clear integer registers, so the starting\n   register state for PID 1 and other user processes started by the kernel has\n   sp = user stack, gp = kernel __global_pointer$, all other integer registers\n   zeroed by the memset in the patch comment.\n\n   This is a bug in its own right, but I'm unwilling to bet that it is the only\n   way to exploit the issue addressed by this patch.\n\n2. ptrace(PTRACE_GETREGSET): you can PTRACE_ATTACH to a user_mode_helper thread\n   before it execs, but ptrace requires SIGSTOP to be delivered which can only\n   happen at user/kernel boundaries.\n\n3. /proc/*/task/*/syscall: this is perfectly happy to read pt_regs for\n   user_mode_helpers before the exec completes, but gp is not one of the\n   registers it returns.\n\n4. PERF_SAMPLE_REGS_USER: LOCKDOWN_PERF normally prevents access to kernel\n   addresses via PERF_SAMPLE_REGS_INTR, but due to this bug kernel addresses\n   are also exposed via PERF_SAMPLE_REGS_USER which is permitted under\n   LOCKDOWN_PERF. I have not attempted to write exploit code.\n\n5. Much of the tracing infrastructure allows access to user registers. I have\n   not attempted to determine which forms of tracing allow access to user\n   registers without already allowing access to kernel registers.","title":"Description of the CVE"},{"category":"legal_disclaimer","text":"CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).","title":"Terms of use"}],"publisher":{"category":"vendor","contact_details":"https://www.suse.com/support/security/contact/","name":"SUSE Product Security Team","namespace":"https://www.suse.com/"},"references":[{"category":"external","summary":"CVE-2024-35871","url":"https://www.suse.com/security/cve/CVE-2024-35871"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"SUSE Bug 1224528 for CVE-2024-35871","url":"https://bugzilla.suse.com/1224528"}],"title":"SUSE CVE CVE-2024-35871","tracking":{"current_release_date":"2025-07-02T00:33:03Z","generator":{"date":"2024-05-21T01:59:39Z","engine":{"name":"cve-database.git:bin/generate-csaf-vex.pl","version":"1"}},"id":"CVE-2024-35871","initial_release_date":"2024-05-21T01:59:39Z","revision_history":[{"date":"2024-05-21T01:59:39Z","number":"2","summary":"Current version"},{"date":"2024-05-31T03:12:31Z","number":"3","summary":"Current version"},{"date":"2024-07-03T03:23:01Z","number":"4","summary":"Current version"},{"date":"2024-07-13T02:40:55Z","number":"5","summary":"Current version"},{"date":"2025-01-01T01:08:37Z","number":"6","summary":"Current version"},{"date":"2025-01-04T01:11:16Z","number":"7","summary":"Current version"},{"date":"2025-02-14T05:02:25Z","number":"8","summary":"Current version"},{"date":"2025-02-16T04:55:14Z","number":"9","summary":"Current version"},{"date":"2025-06-26T01:02:14Z","number":"10","summary":"Current version"},{"date":"2025-07-02T00:33:03Z","number":"11","summary":"Current version"}],"status":"interim","version":"11"}}}