cve/2024/CVE-2024-35871.md

### [CVE-2024-35871](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-35871)
![](https://img.shields.io/static/v1?label=Product&message=Linux&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=4.15%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Version&message=7db91e57a0acde126a162ababfb1e0ab190130cb%20&color=brightgreen)
![](https://img.shields.io/static/v1?label=Vulnerability&message=n%2Fa&color=blue)

### Description

In the Linux kernel, the following vulnerability has been resolved:riscv: process: Fix kernel gp leakagechildregs represents the registers which are active for the new threadin user context. For a kernel thread, childregs->gp is never used sincethe kernel gp is not touched by switch_to. For a user mode helper, thegp value can be observed in user space after execve or possibly by othermeans.[From the email thread]The /* Kernel thread */ comment is somewhat inaccurate in that it is also usedfor user_mode_helper threads, which exec a user process, e.g. /sbin/init orwhen /proc/sys/kernel/core_pattern is a pipe. Such threads do not havePF_KTHREAD set and are valid targets for ptrace etc. even before they exec.childregs is the *user* context during syscall execution and it is observablefrom userspace in at least five ways:1. kernel_execve does not currently clear integer registers, so the starting   register state for PID 1 and other user processes started by the kernel has   sp = user stack, gp = kernel __global_pointer$, all other integer registers   zeroed by the memset in the patch comment.   This is a bug in its own right, but I'm unwilling to bet that it is the only   way to exploit the issue addressed by this patch.2. ptrace(PTRACE_GETREGSET): you can PTRACE_ATTACH to a user_mode_helper thread   before it execs, but ptrace requires SIGSTOP to be delivered which can only   happen at user/kernel boundaries.3. /proc/*/task/*/syscall: this is perfectly happy to read pt_regs for   user_mode_helpers before the exec completes, but gp is not one of the   registers it returns.4. PERF_SAMPLE_REGS_USER: LOCKDOWN_PERF normally prevents access to kernel   addresses via PERF_SAMPLE_REGS_INTR, but due to this bug kernel addresses   are also exposed via PERF_SAMPLE_REGS_USER which is permitted under   LOCKDOWN_PERF. I have not attempted to write exploit code.5. Much of the tracing infrastructure allows access to user registers. I have   not attempted to determine which forms of tracing allow access to user   registers without already allowing access to kernel registers.

### POC

#### Reference
- https://git.kernel.org/stable/c/d14fa1fcf69db9d070e75f1c4425211fa619dfc8

#### Github
No PoCs found on GitHub currently.
Update CVE list 2025-09-29 21:09 2025-09-29 21:09:30 +02:00			`### [CVE-2024-35871](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-35871)`
			`![](https://img.shields.io/static/v1?label=Product&message=Linux&color=blue)`
			`![](https://img.shields.io/static/v1?label=Version&message=&color=brightgreen)`
			`![](https://img.shields.io/static/v1?label=Version&message=4.15%20&color=brightgreen)`
			`![](https://img.shields.io/static/v1?label=Version&message=7db91e57a0acde126a162ababfb1e0ab190130cb%20&color=brightgreen)`
			`![](https://img.shields.io/static/v1?label=Vulnerability&message=n%2Fa&color=blue)`

			`### Description`

			In the Linux kernel, the following vulnerability has been resolved:riscv: process: Fix kernel gp leakagechildregs represents the registers which are active for the new threadin user context. For a kernel thread, childregs->gp is never used sincethe kernel gp is not touched by switch_to. For a user mode helper, thegp value can be observed in user space after execve or possibly by othermeans.[From the email thread]The /* Kernel thread / comment is somewhat inaccurate in that it is also usedfor user_mode_helper threads, which exec a user process, e.g. /sbin/init orwhen /proc/sys/kernel/core_pattern is a pipe. Such threads do not havePF_KTHREAD set and are valid targets for ptrace etc. even before they exec.childregs is the user* context during syscall execution and it is observablefrom userspace in at least five ways:1. kernel_execve does not currently clear integer registers, so the starting register state for PID 1 and other user processes started by the kernel has sp = user stack, gp = kernel __global_pointer$, all other integer registers zeroed by the memset in the patch comment. This is a bug in its own right, but I'm unwilling to bet that it is the only way to exploit the issue addressed by this patch.2. ptrace(PTRACE_GETREGSET): you can PTRACE_ATTACH to a user_mode_helper thread before it execs, but ptrace requires SIGSTOP to be delivered which can only happen at user/kernel boundaries.3. /proc//task//syscall: this is perfectly happy to read pt_regs for user_mode_helpers before the exec completes, but gp is not one of the registers it returns.4. PERF_SAMPLE_REGS_USER: LOCKDOWN_PERF normally prevents access to kernel addresses via PERF_SAMPLE_REGS_INTR, but due to this bug kernel addresses are also exposed via PERF_SAMPLE_REGS_USER which is permitted under LOCKDOWN_PERF. I have not attempted to write exploit code.5. Much of the tracing infrastructure allows access to user registers. I have not attempted to determine which forms of tracing allow access to user registers without already allowing access to kernel registers.

			`### POC`

			`#### Reference`
			`- https://git.kernel.org/stable/c/d14fa1fcf69db9d070e75f1c4425211fa619dfc8`

			`#### Github`
			`No PoCs found on GitHub currently.`