CVE-2024-50194

CVE Details

Release Date:

2024-11-08

Description

In the Linux kernel, the following vulnerability has been resolved:\narm64: probes: Fix uprobes for big-endian kernels\nThe arm64 uprobes code is broken for big-endian kernels as it doesn't\nconvert the in-memory instruction encoding (which is always\nlittle-endian) into the kernel's native endianness before analyzing and\nsimulating instructions. This may result in a few distinct problems:\n* The kernel may may erroneously reject probing an instruction which can\nsafely be probed.\n* The kernel may erroneously erroneously permit stepping an\ninstruction out-of-line when that instruction cannot be stepped\nout-of-line safely.\n* The kernel may erroneously simulate instruction incorrectly dur to\ninterpretting the byte-swapped encoding.\nThe endianness mismatch isn't caught by the compiler or sparse because:\n* The arch_uprobe::{insn,ixol} fields are encoded as arrays of u8, so\nthe compiler and sparse have no idea these contain a little-endian\n32-bit value. The core uprobes code populates these with a memcpy()\nwhich similarly does not handle endianness.\n* While the uprobe_opcode_t type is an alias for __le32, both\narch_uprobe_analyze_insn() and arch_uprobe_skip_sstep() cast from u8[]\nto the similarly-named probe_opcode_t, which is an alias for u32.\nHence there is no endianness conversion warning.\nFix this by changing the arch_uprobe::{insn,ixol} fields to __le32 and\nadding the appropriate __le32_to_cpu() conversions prior to consuming\nthe instruction encoding. The core uprobes copies these fields as opaque\nranges of bytes, and so is unaffected by this change.\nAt the same time, remove MAX_UINSN_BYTES and consistently use\nAARCH64_INSN_SIZE for clarity.\nTested with the following:\n| #include \n| #include \n|\n| #define noinline __attribute__((noinline))\n|\n| static noinline void *adrp_self(void)\n| {\n| void *addr;\n|\n| asm volatile(\n| ' adrp %x0, adrp_self\n'\n| ' add %x0, %x0, :lo12:adrp_self\n'\n| : '=r' (addr));\n| }\n|\n|\n| int main(int argc, char *argv)\n| {\n| void *ptr = adrp_self();\n| bool equal = (ptr == adrp_self);\n|\n| printf('adrp_self => %p\n'\n| 'adrp_self() => %p\n'\n| '%s\n',\n| adrp_self, ptr, equal ? 'EQUAL' : 'NOT EQUAL');\n|\n| return 0;\n| }\n.... where the adrp_self() function was compiled to:\n| 00000000004007e0 :\n| 4007e0: 90000000 adrp x0, 400000 <__ehdr_start>\n| 4007e4: 911f8000 add x0, x0, #0x7e0\n| 4007e8: d65f03c0 ret\nBefore this patch, the ADRP is not recognized, and is assumed to be\nsteppable, resulting in corruption of the result:\n| # ./adrp-self\n| adrp_self => 0x4007e0\n| adrp_self() => 0x4007e0\n| EQUAL\n| # echo 'p /root/adrp-self:0x007e0' > /sys/kernel/tracing/uprobe_events\n| # echo 1 > /sys/kernel/tracing/events/uprobes/enable\n| # ./adrp-self\n| adrp_self => 0x4007e0\n| adrp_self() => 0xffffffffff7e0\n| NOT EQUAL\nAfter this patch, the ADRP is correctly recognized and simulated:\n| # ./adrp-self\n| adrp_self => 0x4007e0\n| adrp_self() => 0x4007e0\n| EQUAL\n| #\n| # echo 'p /root/adrp-self:0x007e0' > /sys/kernel/tracing/uprobe_events\n| # echo 1 > /sys/kernel/tracing/events/uprobes/enable\n| # ./adrp-self\n| adrp_self => 0x4007e0\n| adrp_self() => 0x4007e0\n| EQUAL

See more information about CVE-2024-50194 from MITRE CVE dictionary and NIST NVD

NOTE: The following CVSS metrics and score provided are preliminary and subject to review.

CVSS v3 metrics

Base Score:	5.5
Vector String:	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Version:	3.1
Attack Vector:	Local
Attack Complexity:	Low
Privileges Required:	Low
User Interaction:	None
Scope:	Unchanged
Confidentiality:	None
Integrity:	None
Availability:	High

Errata information

Platform	Errata	Release Date
Oracle Linux version 7 (kernel-uek)	ELSA-2024-12884	2024-12-16
Oracle Linux version 8 (kernel-uek)	ELSA-2024-12884	2024-12-16
Oracle Linux version 8 (kernel-uek)	ELSA-2024-12887	2024-12-18
Oracle Linux version 9 (kernel-uek)	ELSA-2024-12887	2024-12-18