Linux Kernel NT_ARM_FPMR Ptrace Vulnerability Allowing Memory Leakage

A vulnerability in the Linux kernel's ptrace implementation for arm64 architecture has been addressed. The issue arose because the fpmr_set() function did not properly initialize a temporary variable. As a result, a SETREGSET call with a zero length could leave this variable uninitialized, leading to the potential leakage of up to 64 bits of memory from the kernel stack into a target thread's user-visible floating-point register set. While the vulnerability allowed reading arbitrary stack data, it did not provide a mechanism to write such data. The flaw has been fixed by ensuring the temporary value is initialized before copying the register set from userspace, similar to the handling of other register sets. After the patch, a zero-length write to NT_ARM_FPMR retains the existing register contents, preventing the leakage issue.

Impact

The vulnerability could lead to unauthorized reading of kernel stack memory, potentially exposing sensitive information.

Reproduction

The vulnerability can be reproduced by writing a specific value to the NT_ARM_FPMR register using the SETREGSET command. Following this, a read operation using GETREGSET will return the written value, demonstrating that the register was successfully updated. To trigger the vulnerability, a zero-length SETREGSET write can be performed, which will inadvertently read an uninitialized value from the stack in the NT_ARM_FPMR register. This uninitialized value can then be accessed, leaking up to 64 bits of kernel stack memory.

Remediation

Users should apply the latest patches provided in the official Linux kernel repositories to address this vulnerability.