CVE-2024-49861 Affecting kernel-uki-virt-addons package, versions *
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-RHEL9-KERNELUKIVIRTADDONS-8427349
- published27 Nov 2024
- disclosed21 Oct 2024
Introduced: 21 Oct 2024
CVE-2024-49861 (opens in a new tab)How to fix?
There is no fixed version for RHEL:9 kernel-uki-virt-addons.
NVD Description
Note: Versions mentioned in the description apply only to the upstream kernel-uki-virt-addons package and not the kernel-uki-virt-addons package as distributed by RHEL.
See How to fix? for RHEL:9 relevant fixed versions and status.
In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix helper writes to read-only maps
Lonial found an issue that despite user- and BPF-side frozen BPF map (like in case of .rodata), it was still possible to write into it from a BPF program side through specific helpers having ARG_PTR_TO_{LONG,INT} as arguments.
In check_func_arg() when the argument is as mentioned, the meta->raw_mode is never set. Later, check_helper_mem_access(), under the case of PTR_TO_MAP_VALUE as register base type, it assumes BPF_READ for the subsequent call to check_map_access_type() and given the BPF map is read-only it succeeds.
The helpers really need to be annotated as ARG_PTR_TO_{LONG,INT} | MEM_UNINIT when results are written into them as opposed to read out of them. The latter indicates that it's okay to pass a pointer to uninitialized memory as the memory is written to anyway.
However, ARG_PTR_TO_{LONG,INT} is a special case of ARG_PTR_TO_FIXED_SIZE_MEM just with additional alignment requirement. So it is better to just get rid of the ARG_PTR_TO_{LONG,INT} special cases altogether and reuse the fixed size memory types. For this, add MEM_ALIGNED to additionally ensure alignment given these helpers write directly into the args via <ptr> = val. The .arg_size has been initialized reflecting the actual sizeof(*<ptr>).
MEM_ALIGNED can only be used in combination with MEM_FIXED_SIZE annotated argument types, since in !MEM_FIXED_SIZE cases the verifier does not know the buffer size a priori and therefore cannot blindly write *<ptr> = val.
References
- https://access.redhat.com/security/cve/CVE-2024-49861
- https://git.kernel.org/stable/c/1e75d25133158b525e0456876e9bcfd6b2993fd5
- https://git.kernel.org/stable/c/2ed98ee02d1e08afee88f54baec39ea78dc8a23c
- https://git.kernel.org/stable/c/32556ce93bc45c730829083cb60f95a2728ea48b
- https://git.kernel.org/stable/c/a2c8dc7e21803257e762b0bf067fd13e9c995da0