CVE-2024-49861 Information
Description
In the Linux kernel the following vulnerability has been resolved:
bpf: Fix helper writes to read-only maps
Lonial found an issue that despite user- and BPF-side frozen BPF map (like in case of .rodata) it was still possible to write into it from a BPF program side through specific helpers having ARG_PTR_TO_LONGINT as arguments.
In check_func_arg() when the argument is as mentioned the meta->raw_mode is never set. Later check_helper_mem_access() under the case of PTR_TO_MAP_VALUE as register base type it assumes BPF_READ for the subsequent call to check_map_access_type() and given the BPF map is read-only it succeeds.
The helpers really need to be annotated as ARG_PTR_TO_LONGINT | MEM_UNINIT when results are written into them as opposed to read out of them. The latter indicates that it’s okay to pass a pointer to uninitialized memory as the memory is written to anyway.
However ARG_PTR_TO_LONGINT is a special case of ARG_PTR_TO_FIXED_SIZE_MEM
just with additional alignment requirement. So it is better to just get
rid of the ARG_PTR_TO_LONGINT special cases altogether and reuse the
fixed size memory types. For this add MEM_ALIGNED to additionally ensure
alignment given these helpers write directly into the args via
MEM_ALIGNED can only be used in combination with MEM_FIXED_SIZE annotated
argument types since in !MEM_FIXED_SIZE cases the verifier does not know
the buffer size a priori and therefore cannot blindly write
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Reference
https://git.kernel.org/stable/c/a2c8dc7e21803257e762b0bf067fd13e9c995da0 https://git.kernel.org/stable/c/2ed98ee02d1e08afee88f54baec39ea78dc8a23c https://git.kernel.org/stable/c/1e75d25133158b525e0456876e9bcfd6b2993fd5 https://git.kernel.org/stable/c/32556ce93bc45c730829083cb60f95a2728ea48b
Attack Complexity
LOW
Privileges Required
LOW
User Interaction Required
LOW
Scope
NONE
Confidentiality Impact
UNCHANGED
Integrity Impact
NONE
Availability Impact
HIGH
Base Score
HIGH
Base Severity
7.1
Share on: