5.5
MEDIUM
CVE-2024-50099
ARM Linux Uprobes LDR (Literal) and LDRSW (Literal) Insufficient Memory Protection
Description

In the Linux kernel, the following vulnerability has been resolved: arm64: probes: Remove broken LDR (literal) uprobe support The simulate_ldr_literal() and simulate_ldrsw_literal() functions are unsafe to use for uprobes. Both functions were originally written for use with kprobes, and access memory with plain C accesses. When uprobes was added, these were reused unmodified even though they cannot safely access user memory. There are three key problems: 1) The plain C accesses do not have corresponding extable entries, and thus if they encounter a fault the kernel will treat these as unintentional accesses to user memory, resulting in a BUG() which will kill the kernel thread, and likely lead to further issues (e.g. lockup or panic()). 2) The plain C accesses are subject to HW PAN and SW PAN, and so when either is in use, any attempt to simulate an access to user memory will fault. Thus neither simulate_ldr_literal() nor simulate_ldrsw_literal() can do anything useful when simulating a user instruction on any system with HW PAN or SW PAN. 3) The plain C accesses are privileged, as they run in kernel context, and in practice can access a small range of kernel virtual addresses. The instructions they simulate have a range of +/-1MiB, and since the simulated instructions must itself be a user instructions in the TTBR0 address range, these can address the final 1MiB of the TTBR1 acddress range by wrapping downwards from an address in the first 1MiB of the TTBR0 address range. In contemporary kernels the last 8MiB of TTBR1 address range is reserved, and accesses to this will always fault, meaning this is no worse than (1). Historically, it was theoretically possible for the linear map or vmemmap to spill into the final 8MiB of the TTBR1 address range, but in practice this is extremely unlikely to occur as this would require either: * Having enough physical memory to fill the entire linear map all the way to the final 1MiB of the TTBR1 address range. * Getting unlucky with KASLR randomization of the linear map such that the populated region happens to overlap with the last 1MiB of the TTBR address range. ... and in either case if we were to spill into the final page there would be larger problems as the final page would alias with error pointers. Practically speaking, (1) and (2) are the big issues. Given there have been no reports of problems since the broken code was introduced, it appears that no-one is relying on probing these instructions with uprobes. Avoid these issues by not allowing uprobes on LDR (literal) and LDRSW (literal), limiting the use of simulate_ldr_literal() and simulate_ldrsw_literal() to kprobes. Attempts to place uprobes on LDR (literal) and LDRSW (literal) will be rejected as arm_probe_decode_insn() will return INSN_REJECTED. In future we can consider introducing working uprobes support for these instructions, but this will require more significant work.

INFO

Published Date :

Nov. 5, 2024, 6:15 p.m.

Last Modified :

Nov. 12, 2024, 4:28 p.m.

Source :

416baaa9-dc9f-4396-8d5f-8c081fb06d67

Remotely Exploitable :

No

Impact Score :

3.6

Exploitability Score :

1.8
Affected Products

The following products are affected by CVE-2024-50099 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Linux linux_kernel
: Total Affected Vendor : 1 | Products : 1
References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2024-50099.

URL Resource
https://git.kernel.org/stable/c/20cde998315a3d2df08e26079a3ea7501abce6db Patch
https://git.kernel.org/stable/c/3728b4eb27910ffedd173018279a970705f2e03a Patch
https://git.kernel.org/stable/c/9f1e7735474e7457a4d919a517900e46868ae5f6 Patch
https://git.kernel.org/stable/c/acc450aa07099d071b18174c22a1119c57da8227 Patch
https://git.kernel.org/stable/c/ad4bc35a6d22e9ff9b67d0d0c38bce654232f195 Patch
https://git.kernel.org/stable/c/ae743deca78d9e4b7f4f60ad2f95e20e8ea057f9 Patch
https://git.kernel.org/stable/c/bae792617a7e911477f67a3aff850ad4ddf51572 Patch
https://git.kernel.org/stable/c/cc86f2e9876c8b5300238cec6bf0bd8c842078ee Patch

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2024-50099 vulnerability anywhere in the article.

The following table lists the changes that have been made to the CVE-2024-50099 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • Initial Analysis by [email protected]

    Nov. 12, 2024

    Action Type Old Value New Value
    Added CVSS V3.1 NIST AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
    Changed Reference Type https://git.kernel.org/stable/c/20cde998315a3d2df08e26079a3ea7501abce6db No Types Assigned https://git.kernel.org/stable/c/20cde998315a3d2df08e26079a3ea7501abce6db Patch
    Changed Reference Type https://git.kernel.org/stable/c/3728b4eb27910ffedd173018279a970705f2e03a No Types Assigned https://git.kernel.org/stable/c/3728b4eb27910ffedd173018279a970705f2e03a Patch
    Changed Reference Type https://git.kernel.org/stable/c/9f1e7735474e7457a4d919a517900e46868ae5f6 No Types Assigned https://git.kernel.org/stable/c/9f1e7735474e7457a4d919a517900e46868ae5f6 Patch
    Changed Reference Type https://git.kernel.org/stable/c/acc450aa07099d071b18174c22a1119c57da8227 No Types Assigned https://git.kernel.org/stable/c/acc450aa07099d071b18174c22a1119c57da8227 Patch
    Changed Reference Type https://git.kernel.org/stable/c/ad4bc35a6d22e9ff9b67d0d0c38bce654232f195 No Types Assigned https://git.kernel.org/stable/c/ad4bc35a6d22e9ff9b67d0d0c38bce654232f195 Patch
    Changed Reference Type https://git.kernel.org/stable/c/ae743deca78d9e4b7f4f60ad2f95e20e8ea057f9 No Types Assigned https://git.kernel.org/stable/c/ae743deca78d9e4b7f4f60ad2f95e20e8ea057f9 Patch
    Changed Reference Type https://git.kernel.org/stable/c/bae792617a7e911477f67a3aff850ad4ddf51572 No Types Assigned https://git.kernel.org/stable/c/bae792617a7e911477f67a3aff850ad4ddf51572 Patch
    Changed Reference Type https://git.kernel.org/stable/c/cc86f2e9876c8b5300238cec6bf0bd8c842078ee No Types Assigned https://git.kernel.org/stable/c/cc86f2e9876c8b5300238cec6bf0bd8c842078ee Patch
    Added CWE NIST NVD-CWE-noinfo
    Added CPE Configuration OR *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 4.10 up to (excluding) 4.19.323 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 4.20 up to (excluding) 5.4.285 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.5 up to (excluding) 5.10.228 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.11 up to (excluding) 5.15.169 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.16 up to (excluding) 6.1.114 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.2 up to (excluding) 6.6.58 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.7 up to (excluding) 6.11.5 *cpe:2.3:o:linux:linux_kernel:6.12:rc1:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.12:rc2:*:*:*:*:*:* *cpe:2.3:o:linux:linux_kernel:6.12:rc3:*:*:*:*:*:*
  • CVE Modified by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    Nov. 08, 2024

    Action Type Old Value New Value
    Added Reference kernel.org https://git.kernel.org/stable/c/cc86f2e9876c8b5300238cec6bf0bd8c842078ee [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/ae743deca78d9e4b7f4f60ad2f95e20e8ea057f9 [No types assigned]
  • CVE Received by 416baaa9-dc9f-4396-8d5f-8c081fb06d67

    Nov. 05, 2024

    Action Type Old Value New Value
    Added Description In the Linux kernel, the following vulnerability has been resolved: arm64: probes: Remove broken LDR (literal) uprobe support The simulate_ldr_literal() and simulate_ldrsw_literal() functions are unsafe to use for uprobes. Both functions were originally written for use with kprobes, and access memory with plain C accesses. When uprobes was added, these were reused unmodified even though they cannot safely access user memory. There are three key problems: 1) The plain C accesses do not have corresponding extable entries, and thus if they encounter a fault the kernel will treat these as unintentional accesses to user memory, resulting in a BUG() which will kill the kernel thread, and likely lead to further issues (e.g. lockup or panic()). 2) The plain C accesses are subject to HW PAN and SW PAN, and so when either is in use, any attempt to simulate an access to user memory will fault. Thus neither simulate_ldr_literal() nor simulate_ldrsw_literal() can do anything useful when simulating a user instruction on any system with HW PAN or SW PAN. 3) The plain C accesses are privileged, as they run in kernel context, and in practice can access a small range of kernel virtual addresses. The instructions they simulate have a range of +/-1MiB, and since the simulated instructions must itself be a user instructions in the TTBR0 address range, these can address the final 1MiB of the TTBR1 acddress range by wrapping downwards from an address in the first 1MiB of the TTBR0 address range. In contemporary kernels the last 8MiB of TTBR1 address range is reserved, and accesses to this will always fault, meaning this is no worse than (1). Historically, it was theoretically possible for the linear map or vmemmap to spill into the final 8MiB of the TTBR1 address range, but in practice this is extremely unlikely to occur as this would require either: * Having enough physical memory to fill the entire linear map all the way to the final 1MiB of the TTBR1 address range. * Getting unlucky with KASLR randomization of the linear map such that the populated region happens to overlap with the last 1MiB of the TTBR address range. ... and in either case if we were to spill into the final page there would be larger problems as the final page would alias with error pointers. Practically speaking, (1) and (2) are the big issues. Given there have been no reports of problems since the broken code was introduced, it appears that no-one is relying on probing these instructions with uprobes. Avoid these issues by not allowing uprobes on LDR (literal) and LDRSW (literal), limiting the use of simulate_ldr_literal() and simulate_ldrsw_literal() to kprobes. Attempts to place uprobes on LDR (literal) and LDRSW (literal) will be rejected as arm_probe_decode_insn() will return INSN_REJECTED. In future we can consider introducing working uprobes support for these instructions, but this will require more significant work.
    Added Reference kernel.org https://git.kernel.org/stable/c/3728b4eb27910ffedd173018279a970705f2e03a [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/ad4bc35a6d22e9ff9b67d0d0c38bce654232f195 [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/bae792617a7e911477f67a3aff850ad4ddf51572 [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/9f1e7735474e7457a4d919a517900e46868ae5f6 [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/20cde998315a3d2df08e26079a3ea7501abce6db [No types assigned]
    Added Reference kernel.org https://git.kernel.org/stable/c/acc450aa07099d071b18174c22a1119c57da8227 [No types assigned]
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2024-50099 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of the common attributes and approaches employed by adversaries to exploit the CVE-2024-50099 weaknesses.

CVSS31 - Vulnerability Scoring System
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
: