{"vulnerability": "cve-2024-57877", "sightings": [{"uuid": "b6821faa-23fa-42d6-8808-634c8cf40d44", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-57877", "type": "seen", "source": "https://t.me/cvedetector/15085", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-57877 - Linux Kernel arm64: ptrace: POR_EL0 Information Leak\", \n  \"Content\": \"CVE ID : CVE-2024-57877 \nPublished : Jan. 11, 2025, 3:15 p.m. | 42\u00a0minutes ago \nDescription : In the Linux kernel, the following vulnerability has been resolved:  \n  \narm64: ptrace: fix partial SETREGSET for NT_ARM_POE  \n  \nCurrently poe_set() doesn't initialize the temporary 'ctrl' variable,  \nand a SETREGSET call with a length of zero will leave this  \nuninitialized. Consequently an arbitrary value will be written back to  \ntarget->thread.por_el0, potentially leaking up to 64 bits of memory from  \nthe kernel stack. The read is limited to a specific slot on the stack,  \nand the issue does not provide a write mechanism.  \n  \nFix this by initializing the temporary value before copying the regset  \nfrom userspace, as for other regsets (e.g. NT_PRSTATUS, NT_PRFPREG,  \nNT_ARM_SYSTEM_CALL). In the case of a zero-length write, the existing  \ncontents of POR_EL1 will be retained.  \n  \nBefore this patch:  \n  \n| # ./poe-test  \n| Attempting to write NT_ARM_POE::por_el0 = 0x900d900d900d900d  \n| SETREGSET(nt=0x40f, len=8) wrote 8 bytes  \n|  \n| Attempting to read NT_ARM_POE::por_el0  \n| GETREGSET(nt=0x40f, len=8) read 8 bytes  \n| Read NT_ARM_POE::por_el0 = 0x900d900d900d900d  \n|  \n| Attempting to write NT_ARM_POE (zero length)  \n| SETREGSET(nt=0x40f, len=0) wrote 0 bytes  \n|  \n| Attempting to read NT_ARM_POE::por_el0  \n| GETREGSET(nt=0x40f, len=8) read 8 bytes  \n| Read NT_ARM_POE::por_el0 = 0xffff8000839c3d50  \n  \nAfter this patch:  \n  \n| # ./poe-test  \n| Attempting to write NT_ARM_POE::por_el0 = 0x900d900d900d900d  \n| SETREGSET(nt=0x40f, len=8) wrote 8 bytes  \n|  \n| Attempting to read NT_ARM_POE::por_el0  \n| GETREGSET(nt=0x40f, len=8) read 8 bytes  \n| Read NT_ARM_POE::por_el0 = 0x900d900d900d900d  \n|  \n| Attempting to write NT_ARM_POE (zero length)  \n| SETREGSET(nt=0x40f, len=0) wrote 0 bytes  \n|  \n| Attempting to read NT_ARM_POE::por_el0  \n| GETREGSET(nt=0x40f, len=8) read 8 bytes  \n| Read NT_ARM_POE::por_el0 = 0x900d900d900d900d \nSeverity: 0.0 | NA \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"11 Jan 2025\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2025-01-11T17:26:28.000000Z"}, {"uuid": "b0f54486-941c-406a-88c9-f536deeff105", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-57877", "type": "seen", "source": "https://bsky.app/profile/cve-notifications.bsky.social/post/3lfhyrrj5qx2k", "content": "", "creation_timestamp": "2025-01-11T15:15:46.150520Z"}, {"uuid": "7622dfe9-a8e7-4820-9012-43a1a6abe3bc", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-57877", "type": "published-proof-of-concept", "source": "https://t.me/DarkWebInformer_CVEAlerts/1318", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2024-57877\n\ud83d\udd39 Description: In the Linux kernel, the following vulnerability has been resolved:\n\narm64: ptrace: fix partial SETREGSET for NT_ARM_POE\n\nCurrently poe_set() doesn't initialize the temporary 'ctrl' variable,\nand a SETREGSET call with a length of zero will leave this\nuninitialized. Consequently an arbitrary value will be written back to\ntarget->thread.por_el0, potentially leaking up to 64 bits of memory from\nthe kernel stack. The read is limited to a specific slot on the stack,\nand the issue does not provide a write mechanism.\n\nFix this by initializing the temporary value before copying the regset\nfrom userspace, as for other regsets (e.g. NT_PRSTATUS, NT_PRFPREG,\nNT_ARM_SYSTEM_CALL). In the case of a zero-length write, the existing\ncontents of POR_EL1 will be retained.\n\nBefore this patch:\n\n| # ./poe-test\n| Attempting to write NT_ARM_POE::por_el0 = 0x900d900d900d900d\n| SETREGSET(nt=0x40f, len=8) wrote 8 bytes\n|\n| Attempting to read NT_ARM_POE::por_el0\n| GETREGSET(nt=0x40f, len=8) read 8 bytes\n| Read NT_ARM_POE::por_el0 = 0x900d900d900d900d\n|\n| Attempting to write NT_ARM_POE (zero length)\n| SETREGSET(nt=0x40f, len=0) wrote 0 bytes\n|\n| Attempting to read NT_ARM_POE::por_el0\n| GETREGSET(nt=0x40f, len=8) read 8 bytes\n| Read NT_ARM_POE::por_el0 = 0xffff8000839c3d50\n\nAfter this patch:\n\n| # ./poe-test\n| Attempting to write NT_ARM_POE::por_el0 = 0x900d900d900d900d\n| SETREGSET(nt=0x40f, len=8) wrote 8 bytes\n|\n| Attempting to read NT_ARM_POE::por_el0\n| GETREGSET(nt=0x40f, len=8) read 8 bytes\n| Read NT_ARM_POE::por_el0 = 0x900d900d900d900d\n|\n| Attempting to write NT_ARM_POE (zero length)\n| SETREGSET(nt=0x40f, len=0) wrote 0 bytes\n|\n| Attempting to read NT_ARM_POE::por_el0\n| GETREGSET(nt=0x40f, len=8) read 8 bytes\n| Read NT_ARM_POE::por_el0 = 0x900d900d900d900d\n\ud83d\udccf Published: 2025-01-11T14:49:03.297Z\n\ud83d\udccf Modified: 2025-01-11T14:49:03.297Z\n\ud83d\udd17 References:\n1. https://git.kernel.org/stable/c/4105dd76bc8ad6529d47157ef0565cb84ca6676c\n2. https://git.kernel.org/stable/c/594bfc4947c4fcabba1318d8384c61a29a6b89fb", "creation_timestamp": "2025-01-11T15:04:31.000000Z"}, {"uuid": "097f60f3-2c13-44e3-a2e7-4517f7485fe1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2024-57877", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3lfi245oa2z2h", "content": "", "creation_timestamp": "2025-01-11T15:39:30.667422Z"}]}