Attacker Value

Unknown

(0 users assessed)

Exploitability

Unknown

(0 users assessed)

User Interaction

CVE-2024-49861

Disclosure Date: October 21, 2024 •

CVE-2024-49861 CVSS v3 Base Score: 7.1

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix helper writes to read-only maps

Lonial found an issue that despite user- and BPF-side frozen BPF map
(like in case of .rodata), it was still possible to write into it from
a BPF program side through specific helpers having ARG_PTRTO{LONG,INT}
as arguments.

In check_func_arg() when the argument is as mentioned, the meta->raw_mode
is never set. Later, check_helper_mem_access(), under the case of
PTR_TO_MAP_VALUE as register base type, it assumes BPF_READ for the
subsequent call to check_map_access_type() and given the BPF map is
read-only it succeeds.

The helpers really need to be annotated as ARG_PTRTO{LONG,INT} | MEM_UNINIT
when results are written into them as opposed to read out of them. The
latter indicates that it’s okay to pass a pointer to uninitialized memory
as the memory is written to anyway.

However, ARG_PTRTO{LONG,INT} is a special case of ARG_PTR_TO_FIXED_SIZE_MEM
just with additional alignment requirement. So it is better to just get
rid of the ARG_PTRTO{LONG,INT} special cases altogether and reuse the
fixed size memory types. For this, add MEM_ALIGNED to additionally ensure
alignment given these helpers write directly into the args via <ptr> = val.
The .arg_size has been initialized reflecting the actual sizeof(*<ptr>).

MEM_ALIGNED can only be used in combination with MEM_FIXED_SIZE annotated
argument types, since in !MEM_FIXED_SIZE cases the verifier does not know
the buffer size a priori and therefore cannot blindly write *<ptr> = val.

Add Assessment

No one has assessed this topic. Be the first to add your voice to the community.

CVSS V3 Severity and Metrics

Data provided by the National Vulnerability Database (NVD)

Base Score:

7.1 High

Impact Score:

5.2

Exploitability Score:

1.8

Vector:

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Attack Vector (AV):

Local

Attack Complexity (AC):

Low

Privileges Required (PR):

Low

User Interaction (UI):

None

Scope (S):

Unchanged

Confidentiality (C):

None

Integrity (I):

High

Availability (A):

High

Vendors

linux

Products

linux kernel

References

Canonical

CVE-2024-49861 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-49861)

Miscellaneous

https://git.kernel.org/stable/c/a2c8dc7e21803257e762b0bf067fd13e9c995da0

https://git.kernel.org/stable/c/2ed98ee02d1e08afee88f54baec39ea78dc8a23c

https://git.kernel.org/stable/c/1e75d25133158b525e0456876e9bcfd6b2993fd5

https://git.kernel.org/stable/c/32556ce93bc45c730829083cb60f95a2728ea48b

https://git.kernel.org/stable/c/988e55abcf7fdb8fc9a76a7cf3f4e939a4d4fb3a

Rapid7

Unknown

CVE-2024-49861

Unknown

Unknown

None

Low

Local

CVE-2024-49861

Description

Add Assessment

CVSS V3 Severity and Metrics

General Information

Vendors

Products

References

Canonical

Miscellaneous

Additional Info

Technical Analysis

Unknown

CVE-2024-49861

Unknown

Unknown

None

Low

Local

CVE-2024-49861

Description

Add Assessment

CVSS V3 Severity and Metrics

General Information

Vendors

Products

References

Canonical

Miscellaneous

Additional Info

Technical Analysis

Quick Cookie Notification