mirror of
https://github.com/0xMarcio/cve.git
synced 2025-11-30 18:56:19 +00:00
18 lines
2.0 KiB
Markdown
18 lines
2.0 KiB
Markdown
### [CVE-2024-49861](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-49861)
|
|
|
|
|
|
|
|
|
|
### Description
|
|
|
|
In the Linux kernel, the following vulnerability has been resolved:bpf: Fix helper writes to read-only mapsLonial found an issue that despite user- and BPF-side frozen BPF map(like in case of .rodata), it was still possible to write into it froma BPF program side through specific helpers having ARG_PTR_TO_{LONG,INT}as arguments.In check_func_arg() when the argument is as mentioned, the meta->raw_modeis never set. Later, check_helper_mem_access(), under the case ofPTR_TO_MAP_VALUE as register base type, it assumes BPF_READ for thesubsequent call to check_map_access_type() and given the BPF map isread-only it succeeds.The helpers really need to be annotated as ARG_PTR_TO_{LONG,INT} | MEM_UNINITwhen results are written into them as opposed to read out of them. Thelatter indicates that it's okay to pass a pointer to uninitialized memoryas the memory is written to anyway.However, ARG_PTR_TO_{LONG,INT} is a special case of ARG_PTR_TO_FIXED_SIZE_MEMjust with additional alignment requirement. So it is better to just getrid of the ARG_PTR_TO_{LONG,INT} special cases altogether and reuse thefixed size memory types. For this, add MEM_ALIGNED to additionally ensurealignment given these helpers write directly into the args via *<ptr> = val.The .arg*_size has been initialized reflecting the actual sizeof(*<ptr>).MEM_ALIGNED can only be used in combination with MEM_FIXED_SIZE annotatedargument types, since in !MEM_FIXED_SIZE cases the verifier does not knowthe buffer size a priori and therefore cannot blindly write *<ptr> = val.
|
|
|
|
### POC
|
|
|
|
#### Reference
|
|
No PoCs from references.
|
|
|
|
#### Github
|
|
- https://github.com/terawhiz/exploits
|
|
|