CVE-2024-35871: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: riscv: process: Fix kernel gp leakage childregs represents the registers which are active for the new thread in user context. For a kernel thread, childregs->gp is never used since the kernel gp is not touched by switch_to. For a user mode helper, the gp value can be observed in user space after execve or possibly by other means. [From the email thread] The /* Kernel thread */ comment is somewhat inaccurate in that it is also used for user_mode_helper threads, which exec a user process, e.g. /sbin/init or when /proc/sys/kernel/core_pattern is a pipe. Such threads do not have PF_KTHREAD set and are valid targets for ptrace etc. even before they exec. childregs is the *user* context during syscall execution and it is observable from userspace in at least five ways: 1. kernel_execve does not currently clear integer registers, so the starting register state for PID 1 and other user processes started by the kernel has sp = user stack, gp = kernel __global_pointer$, all other integer registers zeroed by the memset in the patch comment. This is a bug in its own right, but I'm unwilling to bet that it is the only way to exploit the issue addressed by this patch. 2. ptrace(PTRACE_GETREGSET): you can PTRACE_ATTACH to a user_mode_helper thread before it execs, but ptrace requires SIGSTOP to be delivered which can only happen at user/kernel boundaries. 3. /proc/*/task/*/syscall: this is perfectly happy to read pt_regs for user_mode_helpers before the exec completes, but gp is not one of the registers it returns. 4. PERF_SAMPLE_REGS_USER: LOCKDOWN_PERF normally prevents access to kernel addresses via PERF_SAMPLE_REGS_INTR, but due to this bug kernel addresses are also exposed via PERF_SAMPLE_REGS_USER which is permitted under LOCKDOWN_PERF. I have not attempted to write exploit code. 5. Much of the tracing infrastructure allows access to user registers. I have not attempted to determine which forms of tracing allow access to user registers without already allowing access to kernel registers.
AI Analysis
Technical Summary
CVE-2024-35871 is a vulnerability identified in the Linux kernel specifically affecting the RISC-V architecture. The issue revolves around improper handling of the kernel global pointer (gp) register leakage in the context of user_mode_helper threads and kernel threads. The vulnerability arises because the childregs structure, which represents the register state for new threads in user context, does not properly clear or isolate the kernel gp register value before transitioning to user mode. This leads to a scenario where the kernel's global pointer value can be observed from user space after an execve system call or through other mechanisms such as ptrace, /proc filesystem interfaces, and performance tracing tools. The root cause is that kernel_execve does not clear integer registers fully, leaving the gp register containing kernel addresses exposed to user processes started by the kernel, including PID 1 and other user processes initiated via user_mode_helper threads. These threads, unlike pure kernel threads, do not have the PF_KTHREAD flag set and are valid targets for ptrace and other debugging/tracing mechanisms even before they execute the user process. Multiple vectors exist for observing this leakage: ptrace with PTRACE_GETREGSET can attach before execve completes, /proc/*/task/*/syscall can read pt_regs for user_mode_helpers, PERF_SAMPLE_REGS_USER can expose kernel addresses due to LOCKDOWN_PERF limitations, and various tracing infrastructures may allow access to these registers. Although no known exploits are reported in the wild, the exposure of kernel pointers to user space can facilitate kernel address space layout information disclosure, which is a critical step in bypassing kernel-level security mechanisms such as Kernel Address Space Layout Randomization (KASLR). This can enable further privilege escalation or kernel exploitation attacks. The vulnerability is specific to Linux kernel versions containing the affected commit hashes (noted as identical hashes in the report) and primarily impacts systems running on RISC-V architecture. The patch addresses the issue by properly clearing the gp register in the childregs structure before transitioning to user mode, preventing kernel pointer leakage. Impact: For European organizations, this vulnerability poses a significant risk especially for those running Linux-based infrastructure on RISC-V hardware, which is increasingly adopted in embedded systems, IoT devices, and specialized computing environments. The leakage of kernel pointers can be leveraged by attackers with local access to escalate privileges or bypass kernel security features, potentially leading to full system compromise. This is particularly critical in sectors with high security requirements such as finance, government, telecommunications, and critical infrastructure. The vulnerability also affects debugging and tracing tools, which are commonly used in development and production environments, increasing the attack surface. Mitigation: Organizations should prioritize patching Linux kernels on RISC-V systems to the fixed versions that clear the gp register appropriately. Since no known exploits exist, immediate patching can prevent future exploitation. Additionally, restricting access to ptrace and /proc interfaces to trusted users only, enforcing strict permissions on performance tracing tools, and enabling kernel lockdown features where applicable can reduce the risk of information leakage. Monitoring for unusual ptrace or tracing activity may help detect exploitation attempts. For environments where patching is delayed, consider isolating vulnerable systems and limiting user access to reduce exposure. Affected European countries are those with significant deployment of Linux on RISC-V or embedded systems, including Germany, France, the Netherlands, Sweden, and the UK, which have strong technology sectors and early adoption of emerging architectures. Countries with critical infrastructure relying on Linux-based embedded devices, such as Finland and Norway, are also at risk. Historical attack patterns show that attackers target regions with advanced technology adoption and critical infrastructure, making these countries more likely targets. Geopolitical factors such as tensions involving cyber espionage and critical infrastructure protection further elevate risk in these nations. Suggested severity for this vulnerability is high due to the potential for kernel pointer leakage facilitating privilege escalation, the ease of local exploitation without requiring user interaction, and the broad impact on confidentiality and integrity of affected systems. Although availability impact is limited, the risk to system security is substantial.
Potential Impact
The vulnerability allows local attackers to leak kernel pointers via the gp register in user_mode_helper threads, undermining kernel address space layout randomization (KASLR) and other kernel security mechanisms. This leakage can facilitate privilege escalation and kernel exploitation, potentially leading to full system compromise. For European organizations, especially those using Linux on RISC-V architectures in critical infrastructure, embedded systems, or specialized computing environments, this represents a significant security risk. The exposure of kernel memory addresses can enable attackers to bypass security controls, threatening confidentiality and integrity of sensitive data and systems. The vulnerability also increases the attack surface by exposing kernel information through common debugging and tracing interfaces, which are widely used in development and production environments. Although no exploits are currently known in the wild, the vulnerability's presence in foundational Linux components means that exploitation could have widespread and severe consequences if weaponized.
Mitigation Recommendations
1. Apply the official Linux kernel patches that clear the gp register in the childregs structure for all affected RISC-V systems as soon as possible. 2. Restrict access to ptrace and /proc interfaces to trusted users only, using appropriate Linux security modules (e.g., SELinux, AppArmor) or kernel lockdown features. 3. Limit permissions and usage of performance tracing tools (perf) to prevent unauthorized access to kernel registers. 4. Enable kernel lockdown mode where supported to reduce kernel information exposure. 5. Monitor system logs and audit ptrace, perf, and tracing activities for unusual or unauthorized access attempts. 6. Isolate vulnerable systems from untrusted users and networks until patches are applied. 7. For embedded and IoT devices running Linux on RISC-V, coordinate with vendors to ensure timely firmware updates incorporating the fix. 8. Educate system administrators and developers about the risks of kernel pointer leakage and the importance of applying security patches promptly.
Affected Countries
Germany, France, Netherlands, Sweden, United Kingdom, Finland, Norway
CVE-2024-35871: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: riscv: process: Fix kernel gp leakage childregs represents the registers which are active for the new thread in user context. For a kernel thread, childregs->gp is never used since the kernel gp is not touched by switch_to. For a user mode helper, the gp value can be observed in user space after execve or possibly by other means. [From the email thread] The /* Kernel thread */ comment is somewhat inaccurate in that it is also used for user_mode_helper threads, which exec a user process, e.g. /sbin/init or when /proc/sys/kernel/core_pattern is a pipe. Such threads do not have PF_KTHREAD set and are valid targets for ptrace etc. even before they exec. childregs is the *user* context during syscall execution and it is observable from userspace in at least five ways: 1. kernel_execve does not currently clear integer registers, so the starting register state for PID 1 and other user processes started by the kernel has sp = user stack, gp = kernel __global_pointer$, all other integer registers zeroed by the memset in the patch comment. This is a bug in its own right, but I'm unwilling to bet that it is the only way to exploit the issue addressed by this patch. 2. ptrace(PTRACE_GETREGSET): you can PTRACE_ATTACH to a user_mode_helper thread before it execs, but ptrace requires SIGSTOP to be delivered which can only happen at user/kernel boundaries. 3. /proc/*/task/*/syscall: this is perfectly happy to read pt_regs for user_mode_helpers before the exec completes, but gp is not one of the registers it returns. 4. PERF_SAMPLE_REGS_USER: LOCKDOWN_PERF normally prevents access to kernel addresses via PERF_SAMPLE_REGS_INTR, but due to this bug kernel addresses are also exposed via PERF_SAMPLE_REGS_USER which is permitted under LOCKDOWN_PERF. I have not attempted to write exploit code. 5. Much of the tracing infrastructure allows access to user registers. I have not attempted to determine which forms of tracing allow access to user registers without already allowing access to kernel registers.
AI-Powered Analysis
Technical Analysis
CVE-2024-35871 is a vulnerability identified in the Linux kernel specifically affecting the RISC-V architecture. The issue revolves around improper handling of the kernel global pointer (gp) register leakage in the context of user_mode_helper threads and kernel threads. The vulnerability arises because the childregs structure, which represents the register state for new threads in user context, does not properly clear or isolate the kernel gp register value before transitioning to user mode. This leads to a scenario where the kernel's global pointer value can be observed from user space after an execve system call or through other mechanisms such as ptrace, /proc filesystem interfaces, and performance tracing tools. The root cause is that kernel_execve does not clear integer registers fully, leaving the gp register containing kernel addresses exposed to user processes started by the kernel, including PID 1 and other user processes initiated via user_mode_helper threads. These threads, unlike pure kernel threads, do not have the PF_KTHREAD flag set and are valid targets for ptrace and other debugging/tracing mechanisms even before they execute the user process. Multiple vectors exist for observing this leakage: ptrace with PTRACE_GETREGSET can attach before execve completes, /proc/*/task/*/syscall can read pt_regs for user_mode_helpers, PERF_SAMPLE_REGS_USER can expose kernel addresses due to LOCKDOWN_PERF limitations, and various tracing infrastructures may allow access to these registers. Although no known exploits are reported in the wild, the exposure of kernel pointers to user space can facilitate kernel address space layout information disclosure, which is a critical step in bypassing kernel-level security mechanisms such as Kernel Address Space Layout Randomization (KASLR). This can enable further privilege escalation or kernel exploitation attacks. The vulnerability is specific to Linux kernel versions containing the affected commit hashes (noted as identical hashes in the report) and primarily impacts systems running on RISC-V architecture. The patch addresses the issue by properly clearing the gp register in the childregs structure before transitioning to user mode, preventing kernel pointer leakage. Impact: For European organizations, this vulnerability poses a significant risk especially for those running Linux-based infrastructure on RISC-V hardware, which is increasingly adopted in embedded systems, IoT devices, and specialized computing environments. The leakage of kernel pointers can be leveraged by attackers with local access to escalate privileges or bypass kernel security features, potentially leading to full system compromise. This is particularly critical in sectors with high security requirements such as finance, government, telecommunications, and critical infrastructure. The vulnerability also affects debugging and tracing tools, which are commonly used in development and production environments, increasing the attack surface. Mitigation: Organizations should prioritize patching Linux kernels on RISC-V systems to the fixed versions that clear the gp register appropriately. Since no known exploits exist, immediate patching can prevent future exploitation. Additionally, restricting access to ptrace and /proc interfaces to trusted users only, enforcing strict permissions on performance tracing tools, and enabling kernel lockdown features where applicable can reduce the risk of information leakage. Monitoring for unusual ptrace or tracing activity may help detect exploitation attempts. For environments where patching is delayed, consider isolating vulnerable systems and limiting user access to reduce exposure. Affected European countries are those with significant deployment of Linux on RISC-V or embedded systems, including Germany, France, the Netherlands, Sweden, and the UK, which have strong technology sectors and early adoption of emerging architectures. Countries with critical infrastructure relying on Linux-based embedded devices, such as Finland and Norway, are also at risk. Historical attack patterns show that attackers target regions with advanced technology adoption and critical infrastructure, making these countries more likely targets. Geopolitical factors such as tensions involving cyber espionage and critical infrastructure protection further elevate risk in these nations. Suggested severity for this vulnerability is high due to the potential for kernel pointer leakage facilitating privilege escalation, the ease of local exploitation without requiring user interaction, and the broad impact on confidentiality and integrity of affected systems. Although availability impact is limited, the risk to system security is substantial.
Potential Impact
The vulnerability allows local attackers to leak kernel pointers via the gp register in user_mode_helper threads, undermining kernel address space layout randomization (KASLR) and other kernel security mechanisms. This leakage can facilitate privilege escalation and kernel exploitation, potentially leading to full system compromise. For European organizations, especially those using Linux on RISC-V architectures in critical infrastructure, embedded systems, or specialized computing environments, this represents a significant security risk. The exposure of kernel memory addresses can enable attackers to bypass security controls, threatening confidentiality and integrity of sensitive data and systems. The vulnerability also increases the attack surface by exposing kernel information through common debugging and tracing interfaces, which are widely used in development and production environments. Although no exploits are currently known in the wild, the vulnerability's presence in foundational Linux components means that exploitation could have widespread and severe consequences if weaponized.
Mitigation Recommendations
1. Apply the official Linux kernel patches that clear the gp register in the childregs structure for all affected RISC-V systems as soon as possible. 2. Restrict access to ptrace and /proc interfaces to trusted users only, using appropriate Linux security modules (e.g., SELinux, AppArmor) or kernel lockdown features. 3. Limit permissions and usage of performance tracing tools (perf) to prevent unauthorized access to kernel registers. 4. Enable kernel lockdown mode where supported to reduce kernel information exposure. 5. Monitor system logs and audit ptrace, perf, and tracing activities for unusual or unauthorized access attempts. 6. Isolate vulnerable systems from untrusted users and networks until patches are applied. 7. For embedded and IoT devices running Linux on RISC-V, coordinate with vendors to ensure timely firmware updates incorporating the fix. 8. Educate system administrators and developers about the risks of kernel pointer leakage and the importance of applying security patches promptly.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-17T13:50:33.108Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982ac4522896dcbe3706
Added to database: 5/21/2025, 9:08:58 AM
Last enriched: 6/29/2025, 4:56:18 PM
Last updated: 7/27/2025, 3:48:17 AM
Views: 10
Related Threats
CVE-2025-40770: CWE-300: Channel Accessible by Non-Endpoint in Siemens SINEC Traffic Analyzer
HighCVE-2025-40769: CWE-1164: Irrelevant Code in Siemens SINEC Traffic Analyzer
HighCVE-2025-40768: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in Siemens SINEC Traffic Analyzer
HighCVE-2025-40767: CWE-250: Execution with Unnecessary Privileges in Siemens SINEC Traffic Analyzer
HighCVE-2025-40766: CWE-400: Uncontrolled Resource Consumption in Siemens SINEC Traffic Analyzer
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.