{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2024-49861","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-10-21T12:17:06.017Z","datePublished":"2024-10-21T12:27:19.321Z","dateUpdated":"2025-11-03T20:41:16.087Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-04T09:39:46.114Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix helper writes to read-only maps\n\nLonial found an issue that despite user- and BPF-side frozen BPF map\n(like in case of .rodata), it was still possible to write into it from\na BPF program side through specific helpers having ARG_PTR_TO_{LONG,INT}\nas arguments.\n\nIn check_func_arg() when the argument is as mentioned, the meta->raw_mode\nis never set. Later, check_helper_mem_access(), under the case of\nPTR_TO_MAP_VALUE as register base type, it assumes BPF_READ for the\nsubsequent call to check_map_access_type() and given the BPF map is\nread-only it succeeds.\n\nThe helpers really need to be annotated as ARG_PTR_TO_{LONG,INT} | MEM_UNINIT\nwhen results are written into them as opposed to read out of them. The\nlatter indicates that it's okay to pass a pointer to uninitialized memory\nas the memory is written to anyway.\n\nHowever, ARG_PTR_TO_{LONG,INT} is a special case of ARG_PTR_TO_FIXED_SIZE_MEM\njust with additional alignment requirement. So it is better to just get\nrid of the ARG_PTR_TO_{LONG,INT} special cases altogether and reuse the\nfixed size memory types. For this, add MEM_ALIGNED to additionally ensure\nalignment given these helpers write directly into the args via *<ptr> = val.\nThe .arg*_size has been initialized reflecting the actual sizeof(*<ptr>).\n\nMEM_ALIGNED can only be used in combination with MEM_FIXED_SIZE annotated\nargument types, since in !MEM_FIXED_SIZE cases the verifier does not know\nthe buffer size a priori and therefore cannot blindly write *<ptr> = val."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["include/linux/bpf.h","kernel/bpf/helpers.c","kernel/bpf/syscall.c","kernel/bpf/verifier.c","kernel/trace/bpf_trace.c","net/core/filter.c"],"versions":[{"version":"57c3bb725a3dd97d960d7e1cd0845d88de53217f","lessThan":"988e55abcf7fdb8fc9a76a7cf3f4e939a4d4fb3a","status":"affected","versionType":"git"},{"version":"57c3bb725a3dd97d960d7e1cd0845d88de53217f","lessThan":"a2c8dc7e21803257e762b0bf067fd13e9c995da0","status":"affected","versionType":"git"},{"version":"57c3bb725a3dd97d960d7e1cd0845d88de53217f","lessThan":"2ed98ee02d1e08afee88f54baec39ea78dc8a23c","status":"affected","versionType":"git"},{"version":"57c3bb725a3dd97d960d7e1cd0845d88de53217f","lessThan":"1e75d25133158b525e0456876e9bcfd6b2993fd5","status":"affected","versionType":"git"},{"version":"57c3bb725a3dd97d960d7e1cd0845d88de53217f","lessThan":"32556ce93bc45c730829083cb60f95a2728ea48b","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["include/linux/bpf.h","kernel/bpf/helpers.c","kernel/bpf/syscall.c","kernel/bpf/verifier.c","kernel/trace/bpf_trace.c","net/core/filter.c"],"versions":[{"version":"5.2","status":"affected"},{"version":"0","lessThan":"5.2","status":"unaffected","versionType":"semver"},{"version":"6.1.120","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.54","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.10.13","lessThanOrEqual":"6.10.*","status":"unaffected","versionType":"semver"},{"version":"6.11.2","lessThanOrEqual":"6.11.*","status":"unaffected","versionType":"semver"},{"version":"6.12","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.2","versionEndExcluding":"6.1.120"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.2","versionEndExcluding":"6.6.54"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.2","versionEndExcluding":"6.10.13"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.2","versionEndExcluding":"6.11.2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.2","versionEndExcluding":"6.12"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/988e55abcf7fdb8fc9a76a7cf3f4e939a4d4fb3a"},{"url":"https://git.kernel.org/stable/c/a2c8dc7e21803257e762b0bf067fd13e9c995da0"},{"url":"https://git.kernel.org/stable/c/2ed98ee02d1e08afee88f54baec39ea78dc8a23c"},{"url":"https://git.kernel.org/stable/c/1e75d25133158b525e0456876e9bcfd6b2993fd5"},{"url":"https://git.kernel.org/stable/c/32556ce93bc45c730829083cb60f95a2728ea48b"}],"title":"bpf: Fix helper writes to read-only maps","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"id":"CVE-2024-49861","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"version":"2.0.3","timestamp":"2024-10-21T12:55:39.105078Z"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-10-21T13:04:10.325Z"}},{"title":"CVE Program Container","references":[{"url":"https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2025-11-03T20:41:16.087Z"}}]}}