Mark Rutland

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The Linux kernel contains a flaw where calling `pmu->start()`/`stop()` on perf events in `PERF EVENT STATE OFF` can lead to undefined behavior. This occurs when `event->hw.idx` is at -1, and PMU drivers attempt to use this negative index as a shift exponent in bitwise operations, resulting in UBSAN shift-out-of-bounds reports. The issue arises from a logical flaw in how event groups handle throttling when some members are intentionally disabled. The throttling mechanism attempts to start/stop events that are not actively scheduled on the hardware. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.6.74 **Description** The issue is related to the Linux kernel's ptrace functionality, specifically the arm64 architecture. The problem arises when the `tagged addr ctrl set()` function does not initialize a temporary variable, potentially leading to the leakage of up to 64 bits of memory from the kernel stack. This occurs when a SETREGSET call is made with a length of zero. The exposure is limited, as the read is restricted to a specific slot on the stack, and there is no write mechanism provided. The `set tagged addr ctrl()` function only accepts values with bits [63:4] set to zero, which limits the success of a partial SETREGSET attempt. The fix involves initializing the temporary value before copying the regset from userspace. **Recommendations** To resolve the issue, update to Linux kernel version 6.6.74 or later. As a temporary workaround, consider restricting access to the `tagged addr ctrl set()` function until a patch is available. Additionally, avoid using the `NT ARM TAGGED ADDR CTRL` regset in the `user aarch64 view` used by native AArch64 tasks to manipulate other native AArch64 tasks.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to the Linux kernel's ptrace functionality, specifically with the arm64 architecture. The problem arises when the `poe set()` function does not initialize a temporary variable, leading to potential memory leaks of up to 64 bits from the kernel stack when a SETREGSET call with a length of zero is made. This can result in arbitrary values being written back to `target->thread.por el0`. The read is limited to a specific slot on the stack, and there is no write mechanism provided by the issue. The fix involves initializing the temporary value before copying the regset from userspace. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to the Linux kernel's ptrace system call, specifically the arm64 architecture. The problem arises from the `fpmr set()` function not initializing the temporary `fpmr` variable, which can lead to an arbitrary value being written back to `target->thread.uw.fpmr` when a `SETREGSET` call with a length of zero is made. This could potentially leak up to 64 bits of memory from the kernel stack. The read is limited to a specific slot on the stack, and there is no write mechanism provided by the issue. The fix involves initializing the temporary value before copying the regset from userspace. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Linux kernel (affected versions not specified) Description: A vulnerability in the Linux kernel has been resolved, related to the handling of SVE traps. The logic for handling these traps manipulates saved FPSIMD/SVE state incorrectly, and a race with preemption can result in a task having TIF SVE set and TIF FOREIGN FPSTATE clear even though the live CPU state is stale. This has been observed to result in warnings from the `do sve acc()` function where SVE traps are not expected while TIF SVE is set. The issue can occur when the SVE trap handler is preempted before and after manipulating the saved FPSIMD/SVE state, starting and ending on the same CPU. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 5.13-rc3 **Description** The vulnerability is related to the initialization of `cad pid` in the Linux kernel. During boot, `kernel init freeable()` initializes `cad pid` to the init task's struct pid. Later, when `cad pid` is changed via a sysctl, `proc do cad pid()` increments the refcount on the new pid via `get pid()` and decrements the refcount on the old pid via `put pid()`. However, since `get pid()` was not called when `cad pid` was initialized, a reference is decremented that was never incremented, which can lead to the init task's struct pid being freed early. This can cause dangling references to the struct pid, resulting in a use-after-free issue when delivering signals. **Recommendations** To resolve this issue, get a reference to the init task's struct pid when assigning it to `cad pid`. This can be done by calling `get pid()` when initializing `cad pid`. Note: The provided input does not specify the exact versions that are vulnerable or the versions that contain the fix. However, based on the information given, it appears that versions prior to 5.13-rc3 are affected.