CVE-2024-57874

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> arm64: ptrace: fix partial SETREGSET for NT_ARM_TAGGED_ADDR_CTRL<br /> <br /> Currently tagged_addr_ctrl_set() doesn&amp;#39;t initialize the temporary &amp;#39;ctrl&amp;#39;<br /> variable, and a SETREGSET call with a length of zero will leave this<br /> uninitialized. Consequently tagged_addr_ctrl_set() will consume an<br /> arbitrary value, potentially leaking up to 64 bits of memory from the<br /> kernel stack. The read is limited to a specific slot on the stack, and<br /> the issue does not provide a write mechanism.<br /> <br /> As set_tagged_addr_ctrl() only accepts values where bits [63:4] zero and<br /> rejects other values, a partial SETREGSET attempt will randomly succeed<br /> or fail depending on the value of the uninitialized value, and the<br /> exposure is significantly limited.<br /> <br /> Fix this by initializing the temporary value before copying the regset<br /> from userspace, as for other regsets (e.g. NT_PRSTATUS, NT_PRFPREG,<br /> NT_ARM_SYSTEM_CALL). In the case of a zero-length write, the existing<br /> value of the tagged address ctrl will be retained.<br /> <br /> The NT_ARM_TAGGED_ADDR_CTRL regset is only visible in the<br /> user_aarch64_view used by a native AArch64 task to manipulate another<br /> native AArch64 task. As get_tagged_addr_ctrl() only returns an error<br /> value when called for a compat task, tagged_addr_ctrl_get() and<br /> tagged_addr_ctrl_set() should never observe an error value from<br /> get_tagged_addr_ctrl(). Add a WARN_ON_ONCE() to both to indicate that<br /> such an error would be unexpected, and error handlnig is not missing in<br /> either case.