CVE-2024-35873: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: riscv: Fix vector state restore in rt_sigreturn() The RISC-V Vector specification states in "Appendix D: Calling Convention for Vector State" [1] that "Executing a system call causes all caller-saved vector registers (v0-v31, vl, vtype) and vstart to become unspecified.". In the RISC-V kernel this is called "discarding the vstate". Returning from a signal handler via the rt_sigreturn() syscall, vector discard is also performed. However, this is not an issue since the vector state should be restored from the sigcontext, and therefore not care about the vector discard. The "live state" is the actual vector register in the running context, and the "vstate" is the vector state of the task. A dirty live state, means that the vstate and live state are not in synch. When vectorized user_from_copy() was introduced, an bug sneaked in at the restoration code, related to the discard of the live state. An example when this go wrong: 1. A userland application is executing vector code 2. The application receives a signal, and the signal handler is entered. 3. The application returns from the signal handler, using the rt_sigreturn() syscall. 4. The live vector state is discarded upon entering the rt_sigreturn(), and the live state is marked as "dirty", indicating that the live state need to be synchronized with the current vstate. 5. rt_sigreturn() restores the vstate, except the Vector registers, from the sigcontext 6. rt_sigreturn() restores the Vector registers, from the sigcontext, and now the vectorized user_from_copy() is used. The dirty live state from the discard is saved to the vstate, making the vstate corrupt. 7. rt_sigreturn() returns to the application, which crashes due to corrupted vstate. Note that the vectorized user_from_copy() is invoked depending on the value of CONFIG_RISCV_ISA_V_UCOPY_THRESHOLD. Default is 768, which means that vlen has to be larger than 128b for this bug to trigger. The fix is simply to mark the live state as non-dirty/clean prior performing the vstate restore.
AI Analysis
Technical Summary
CVE-2024-35873 is a vulnerability identified in the Linux kernel specifically affecting the RISC-V architecture's handling of vector state restoration during signal return processing. The vulnerability arises from a bug in the rt_sigreturn() syscall implementation, which is responsible for restoring the process context after a signal handler completes. According to the RISC-V Vector specification, executing a system call causes all caller-saved vector registers (v0-v31, vl, vtype) and the vstart register to become unspecified, a process referred to as discarding the vector state (vstate). When returning from a signal handler, the kernel must restore the vector state from the saved sigcontext to maintain consistency. However, the bug occurs due to improper synchronization between the "live state" (the actual vector registers in the running context) and the "vstate" (the saved vector state of the task). Specifically, when vectorized user_from_copy() is used (triggered if the vector length exceeds a threshold defined by CONFIG_RISCV_ISA_V_UCOPY_THRESHOLD, default 768), the live state is marked as dirty after being discarded but before restoration. The restoration process then incorrectly saves this dirty live state back to the vstate, corrupting it. This corruption leads to application crashes upon returning from signal handlers that use vector instructions. The fix involves marking the live state as clean before restoring the vstate, preventing the corruption. This vulnerability is limited to Linux kernels running on RISC-V platforms with vector extensions enabled and affected by the vectorized user_from_copy() code path. No known exploits are currently reported in the wild, and the issue is primarily a stability and reliability concern rather than a direct security compromise like privilege escalation or code execution.
Potential Impact
For European organizations utilizing Linux systems on RISC-V architectures with vector extensions, this vulnerability can cause application crashes and potential denial of service conditions when applications use vector instructions and signal handling concurrently. While it does not directly lead to unauthorized access or data leakage, the instability can disrupt critical services, especially in environments relying on real-time processing or high-performance computing where RISC-V vector capabilities are leveraged. The impact is more pronounced in sectors adopting RISC-V for embedded systems, telecommunications, or specialized computing tasks. Organizations running mixed-architecture environments or those in early adoption phases of RISC-V may face operational disruptions. The lack of known exploits reduces immediate risk, but unpatched systems remain vulnerable to crashes that could affect availability and reliability of services. Additionally, debugging and recovery efforts may increase operational overhead. Given the growing interest in RISC-V within Europe for strategic autonomy in technology, the vulnerability could affect emerging deployments in research, industry, and government sectors.
Mitigation Recommendations
1. Apply the official Linux kernel patches that fix the vector state restoration bug as soon as they are available and validated for your environment. 2. For organizations using custom or vendor-specific RISC-V Linux kernels, coordinate with vendors to ensure timely patch integration. 3. Temporarily disable or limit the use of vector extensions in RISC-V systems if feasible, especially in critical production environments, until patches are applied. 4. Monitor application logs and kernel messages for crashes related to signal handling and vector instructions to detect potential exploitation or instability. 5. Implement rigorous testing of signal handling in vectorized applications within staging environments to identify and mitigate crashes before production deployment. 6. Educate development teams about the implications of signal handling with vector instructions on RISC-V to avoid triggering the bug in unpatched systems. 7. Maintain up-to-date backups and recovery procedures to minimize downtime in case of crashes. 8. Engage with RISC-V and Linux kernel communities to stay informed about further developments or related vulnerabilities.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland
CVE-2024-35873: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: riscv: Fix vector state restore in rt_sigreturn() The RISC-V Vector specification states in "Appendix D: Calling Convention for Vector State" [1] that "Executing a system call causes all caller-saved vector registers (v0-v31, vl, vtype) and vstart to become unspecified.". In the RISC-V kernel this is called "discarding the vstate". Returning from a signal handler via the rt_sigreturn() syscall, vector discard is also performed. However, this is not an issue since the vector state should be restored from the sigcontext, and therefore not care about the vector discard. The "live state" is the actual vector register in the running context, and the "vstate" is the vector state of the task. A dirty live state, means that the vstate and live state are not in synch. When vectorized user_from_copy() was introduced, an bug sneaked in at the restoration code, related to the discard of the live state. An example when this go wrong: 1. A userland application is executing vector code 2. The application receives a signal, and the signal handler is entered. 3. The application returns from the signal handler, using the rt_sigreturn() syscall. 4. The live vector state is discarded upon entering the rt_sigreturn(), and the live state is marked as "dirty", indicating that the live state need to be synchronized with the current vstate. 5. rt_sigreturn() restores the vstate, except the Vector registers, from the sigcontext 6. rt_sigreturn() restores the Vector registers, from the sigcontext, and now the vectorized user_from_copy() is used. The dirty live state from the discard is saved to the vstate, making the vstate corrupt. 7. rt_sigreturn() returns to the application, which crashes due to corrupted vstate. Note that the vectorized user_from_copy() is invoked depending on the value of CONFIG_RISCV_ISA_V_UCOPY_THRESHOLD. Default is 768, which means that vlen has to be larger than 128b for this bug to trigger. The fix is simply to mark the live state as non-dirty/clean prior performing the vstate restore.
AI-Powered Analysis
Technical Analysis
CVE-2024-35873 is a vulnerability identified in the Linux kernel specifically affecting the RISC-V architecture's handling of vector state restoration during signal return processing. The vulnerability arises from a bug in the rt_sigreturn() syscall implementation, which is responsible for restoring the process context after a signal handler completes. According to the RISC-V Vector specification, executing a system call causes all caller-saved vector registers (v0-v31, vl, vtype) and the vstart register to become unspecified, a process referred to as discarding the vector state (vstate). When returning from a signal handler, the kernel must restore the vector state from the saved sigcontext to maintain consistency. However, the bug occurs due to improper synchronization between the "live state" (the actual vector registers in the running context) and the "vstate" (the saved vector state of the task). Specifically, when vectorized user_from_copy() is used (triggered if the vector length exceeds a threshold defined by CONFIG_RISCV_ISA_V_UCOPY_THRESHOLD, default 768), the live state is marked as dirty after being discarded but before restoration. The restoration process then incorrectly saves this dirty live state back to the vstate, corrupting it. This corruption leads to application crashes upon returning from signal handlers that use vector instructions. The fix involves marking the live state as clean before restoring the vstate, preventing the corruption. This vulnerability is limited to Linux kernels running on RISC-V platforms with vector extensions enabled and affected by the vectorized user_from_copy() code path. No known exploits are currently reported in the wild, and the issue is primarily a stability and reliability concern rather than a direct security compromise like privilege escalation or code execution.
Potential Impact
For European organizations utilizing Linux systems on RISC-V architectures with vector extensions, this vulnerability can cause application crashes and potential denial of service conditions when applications use vector instructions and signal handling concurrently. While it does not directly lead to unauthorized access or data leakage, the instability can disrupt critical services, especially in environments relying on real-time processing or high-performance computing where RISC-V vector capabilities are leveraged. The impact is more pronounced in sectors adopting RISC-V for embedded systems, telecommunications, or specialized computing tasks. Organizations running mixed-architecture environments or those in early adoption phases of RISC-V may face operational disruptions. The lack of known exploits reduces immediate risk, but unpatched systems remain vulnerable to crashes that could affect availability and reliability of services. Additionally, debugging and recovery efforts may increase operational overhead. Given the growing interest in RISC-V within Europe for strategic autonomy in technology, the vulnerability could affect emerging deployments in research, industry, and government sectors.
Mitigation Recommendations
1. Apply the official Linux kernel patches that fix the vector state restoration bug as soon as they are available and validated for your environment. 2. For organizations using custom or vendor-specific RISC-V Linux kernels, coordinate with vendors to ensure timely patch integration. 3. Temporarily disable or limit the use of vector extensions in RISC-V systems if feasible, especially in critical production environments, until patches are applied. 4. Monitor application logs and kernel messages for crashes related to signal handling and vector instructions to detect potential exploitation or instability. 5. Implement rigorous testing of signal handling in vectorized applications within staging environments to identify and mitigate crashes before production deployment. 6. Educate development teams about the implications of signal handling with vector instructions on RISC-V to avoid triggering the bug in unpatched systems. 7. Maintain up-to-date backups and recovery procedures to minimize downtime in case of crashes. 8. Engage with RISC-V and Linux kernel communities to stay informed about further developments or related vulnerabilities.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-05-17T13:50:33.108Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d982ac4522896dcbe3731
Added to database: 5/21/2025, 9:08:58 AM
Last enriched: 6/29/2025, 4:56:43 PM
Last updated: 8/12/2025, 10:47:51 PM
Views: 13
Related Threats
CVE-2025-55280: CWE-312: Cleartext Storage of Sensitive Information in ZKTeco Co WL20 Biometric Attendance System
MediumCVE-2025-55279: CWE-798: Use of Hard-coded Credentials in ZKTeco Co WL20 Biometric Attendance System
MediumCVE-2025-54465: CWE-798: Use of Hard-coded Credentials in ZKTeco Co WL20 Biometric Attendance System
MediumCVE-2025-54464: CWE-312: Cleartext Storage of Sensitive Information in ZKTeco Co WL20 Biometric Attendance System
HighCVE-2025-2713: CWE-269 Improper Privilege Management in Google gVisor
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.