CVE-2024-35873

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> riscv: Fix vector state restore in rt_sigreturn()<br /> <br /> The RISC-V Vector specification states in "Appendix D: Calling<br /> Convention for Vector State" [1] that "Executing a system call causes<br /> all caller-saved vector registers (v0-v31, vl, vtype) and vstart to<br /> become unspecified.". In the RISC-V kernel this is called "discarding<br /> the vstate".<br /> <br /> Returning from a signal handler via the rt_sigreturn() syscall, vector<br /> discard is also performed. However, this is not an issue since the<br /> vector state should be restored from the sigcontext, and therefore not<br /> care about the vector discard.<br /> <br /> The "live state" is the actual vector register in the running context,<br /> and the "vstate" is the vector state of the task. A dirty live state,<br /> means that the vstate and live state are not in synch.<br /> <br /> When vectorized user_from_copy() was introduced, an bug sneaked in at<br /> the restoration code, related to the discard of the live state.<br /> <br /> An example when this go wrong:<br /> <br /> 1. A userland application is executing vector code<br /> 2. The application receives a signal, and the signal handler is<br /> entered.<br /> 3. The application returns from the signal handler, using the<br /> rt_sigreturn() syscall.<br /> 4. The live vector state is discarded upon entering the<br /> rt_sigreturn(), and the live state is marked as "dirty", indicating<br /> that the live state need to be synchronized with the current<br /> vstate.<br /> 5. rt_sigreturn() restores the vstate, except the Vector registers,<br /> from the sigcontext<br /> 6. rt_sigreturn() restores the Vector registers, from the sigcontext,<br /> and now the vectorized user_from_copy() is used. The dirty live<br /> state from the discard is saved to the vstate, making the vstate<br /> corrupt.<br /> 7. rt_sigreturn() returns to the application, which crashes due to<br /> corrupted vstate.<br /> <br /> Note that the vectorized user_from_copy() is invoked depending on the<br /> value of CONFIG_RISCV_ISA_V_UCOPY_THRESHOLD. Default is 768, which<br /> means that vlen has to be larger than 128b for this bug to trigger.<br /> <br /> The fix is simply to mark the live state as non-dirty/clean prior<br /> performing the vstate restore.