{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2024-50164","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-10-21T19:36:19.962Z","datePublished":"2024-11-07T09:31:41.012Z","dateUpdated":"2025-11-03T20:43:57.432Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-04T12:59:39.926Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix overloading of MEM_UNINIT's meaning\n\nLonial reported an issue in the BPF verifier where check_mem_size_reg()\nhas the following code:\n\n    if (!tnum_is_const(reg->var_off))\n        /* For unprivileged variable accesses, disable raw\n         * mode so that the program is required to\n         * initialize all the memory that the helper could\n         * just partially fill up.\n         */\n         meta = NULL;\n\nThis means that writes are not checked when the register containing the\nsize of the passed buffer has not a fixed size. Through this bug, a BPF\nprogram can write to a map which is marked as read-only, for example,\n.rodata global maps.\n\nThe problem is that MEM_UNINIT's initial meaning that \"the passed buffer\nto the BPF helper does not need to be initialized\" which was added back\nin commit 435faee1aae9 (\"bpf, verifier: add ARG_PTR_TO_RAW_STACK type\")\ngot overloaded over time with \"the passed buffer is being written to\".\n\nThe problem however is that checks such as the above which were added later\nvia 06c1c049721a (\"bpf: allow helpers access to variable memory\") set meta\nto NULL in order force the user to always initialize the passed buffer to\nthe helper. Due to the current double meaning of MEM_UNINIT, this bypasses\nverifier write checks to the memory (not boundary checks though) and only\nassumes the latter memory is read instead.\n\nFix this by reverting MEM_UNINIT back to its original meaning, and having\nMEM_WRITE as an annotation to BPF helpers in order to then trigger the\nBPF verifier checks for writing to memory.\n\nSome notes: check_arg_pair_ok() ensures that for ARG_CONST_SIZE{,_OR_ZERO}\nwe can access fn->arg_type[arg - 1] since it must contain a preceding\nARG_PTR_TO_MEM. For check_mem_reg() the meta argument can be removed\naltogether since we do check both BPF_READ and BPF_WRITE. Same for the\nequivalent check_kfunc_mem_size_reg()."}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["kernel/bpf/verifier.c"],"versions":[{"version":"97e6d7dab1ca4648821c790a2b7913d6d5d549db","lessThan":"43f4df339a4d375bedcad29a61ae6f0ee7a048f8","status":"affected","versionType":"git"},{"version":"97e6d7dab1ca4648821c790a2b7913d6d5d549db","lessThan":"48068ccaea957469f1adf78dfd2c1c9a7e18f0fe","status":"affected","versionType":"git"},{"version":"97e6d7dab1ca4648821c790a2b7913d6d5d549db","lessThan":"54bc31682660810af1bed7ca7a19f182df8d3df8","status":"affected","versionType":"git"},{"version":"97e6d7dab1ca4648821c790a2b7913d6d5d549db","lessThan":"8ea607330a39184f51737c6ae706db7fdca7628e","status":"affected","versionType":"git"},{"version":"6099a6c8a749a5c8d5f8b4c4342022a92072a02b","status":"affected","versionType":"git"},{"version":"bfe25df63048edd4ceaf78a2fc755d5e2befc978","status":"affected","versionType":"git"},{"version":"717c39718dbc4f7ebcbb7b625fb11851cd9007fe","status":"affected","versionType":"git"},{"version":"5d0bba8232bf22ce13747cbfc8f696318ff01a50","status":"affected","versionType":"git"},{"version":"70674d11d14eeecad90be4b409a22b902112ba32","status":"affected","versionType":"git"},{"version":"a08d942ecbf46e23a192093f6983cb1d779f4fa8","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["kernel/bpf/verifier.c"],"versions":[{"version":"5.19","status":"affected"},{"version":"0","lessThan":"5.19","status":"unaffected","versionType":"semver"},{"version":"6.1.125","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.59","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.11.6","lessThanOrEqual":"6.11.*","status":"unaffected","versionType":"semver"},{"version":"6.12","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.19","versionEndExcluding":"6.1.125"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.19","versionEndExcluding":"6.6.59"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.19","versionEndExcluding":"6.11.6"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.19","versionEndExcluding":"6.12"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15.45"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.17.13"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.18.2"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.15.45"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.17.13"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"5.18.2"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/43f4df339a4d375bedcad29a61ae6f0ee7a048f8"},{"url":"https://git.kernel.org/stable/c/48068ccaea957469f1adf78dfd2c1c9a7e18f0fe"},{"url":"https://git.kernel.org/stable/c/54bc31682660810af1bed7ca7a19f182df8d3df8"},{"url":"https://git.kernel.org/stable/c/8ea607330a39184f51737c6ae706db7fdca7628e"}],"title":"bpf: Fix overloading of MEM_UNINIT's meaning","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"title":"CVE Program Container","references":[{"url":"https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2025-11-03T20:43:57.432Z"}}]}}