CVE-2024-49861
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2024-49861
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-49861.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2024-49861
- Downstream
- Related
- Published
- 2024-10-21T12:27:19Z
- Modified
- 2025-10-22T04:37:08.530667Z
- Summary
- bpf: Fix helper writes to read-only maps
- Details
-
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix helper writes to read-only maps
Lonial found an issue that despite user- and BPF-side frozen BPF map (like in case of .rodata), it was still possible to write into it from a BPF program side through specific helpers having ARGPTRTO_{LONG,INT} as arguments.
In checkfuncarg() when the argument is as mentioned, the meta->rawmode is never set. Later, checkhelpermemaccess(), under the case of PTRTOMAPVALUE as register base type, it assumes BPFREAD for the subsequent call to checkmapaccess_type() and given the BPF map is read-only it succeeds.
The helpers really need to be annotated as ARGPTRTO{LONG,INT} | MEMUNINIT when results are written into them as opposed to read out of them. The latter indicates that it's okay to pass a pointer to uninitialized memory as the memory is written to anyway.
However, ARGPTRTO{LONG,INT} is a special case of ARGPTRTOFIXEDSIZEMEM just with additional alignment requirement. So it is better to just get rid of the ARGPTRTO{LONG,INT} special cases altogether and reuse the fixed size memory types. For this, add MEMALIGNED to additionally ensure alignment given these helpers write directly into the args via <ptr> = val. The .arg_size has been initialized reflecting the actual sizeof(*<ptr>).
MEMALIGNED can only be used in combination with MEMFIXEDSIZE annotated argument types, since in !MEMFIXED_SIZE cases the verifier does not know the buffer size a priori and therefore cannot blindly write *<ptr> = val.
- References
-
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- https://git.kernel.org/stable/c/1e75d25133158b525e0456876e9bcfd6b2993fd5
- https://git.kernel.org/stable/c/2ed98ee02d1e08afee88f54baec39ea78dc8a23c
- https://git.kernel.org/stable/c/32556ce93bc45c730829083cb60f95a2728ea48b
- https://git.kernel.org/stable/c/988e55abcf7fdb8fc9a76a7cf3f4e939a4d4fb3a
- https://git.kernel.org/stable/c/a2c8dc7e21803257e762b0bf067fd13e9c995da0
Affected packages
Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Affected ranges
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced57c3bb725a3dd97d960d7e1cd0845d88de53217fFixed988e55abcf7fdb8fc9a76a7cf3f4e939a4d4fb3a
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced57c3bb725a3dd97d960d7e1cd0845d88de53217fFixeda2c8dc7e21803257e762b0bf067fd13e9c995da0
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced57c3bb725a3dd97d960d7e1cd0845d88de53217fFixed2ed98ee02d1e08afee88f54baec39ea78dc8a23c
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced57c3bb725a3dd97d960d7e1cd0845d88de53217fFixed1e75d25133158b525e0456876e9bcfd6b2993fd5
- Type
- GIT
- Repo
- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
- Events
-
Introduced57c3bb725a3dd97d960d7e1cd0845d88de53217fFixed32556ce93bc45c730829083cb60f95a2728ea48b