{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2024-50194","assignerOrgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","state":"PUBLISHED","assignerShortName":"Linux","dateReserved":"2024-10-21T19:36:19.968Z","datePublished":"2024-11-08T05:54:09.327Z","dateUpdated":"2025-11-03T22:26:49.079Z"},"containers":{"cna":{"providerMetadata":{"orgId":"416baaa9-dc9f-4396-8d5f-8c081fb06d67","shortName":"Linux","dateUpdated":"2025-05-04T09:48:24.871Z"},"descriptions":[{"lang":"en","value":"In the Linux kernel, the following vulnerability has been resolved:\n\narm64: probes: Fix uprobes for big-endian kernels\n\nThe arm64 uprobes code is broken for big-endian kernels as it doesn't\nconvert the in-memory instruction encoding (which is always\nlittle-endian) into the kernel's native endianness before analyzing and\nsimulating instructions. This may result in a few distinct problems:\n\n* The kernel may may erroneously reject probing an instruction which can\n  safely be probed.\n\n* The kernel may erroneously erroneously permit stepping an\n  instruction out-of-line when that instruction cannot be stepped\n  out-of-line safely.\n\n* The kernel may erroneously simulate instruction incorrectly dur to\n  interpretting the byte-swapped encoding.\n\nThe endianness mismatch isn't caught by the compiler or sparse because:\n\n* The arch_uprobe::{insn,ixol} fields are encoded as arrays of u8, so\n  the compiler and sparse have no idea these contain a little-endian\n  32-bit value. The core uprobes code populates these with a memcpy()\n  which similarly does not handle endianness.\n\n* While the uprobe_opcode_t type is an alias for __le32, both\n  arch_uprobe_analyze_insn() and arch_uprobe_skip_sstep() cast from u8[]\n  to the similarly-named probe_opcode_t, which is an alias for u32.\n  Hence there is no endianness conversion warning.\n\nFix this by changing the arch_uprobe::{insn,ixol} fields to __le32 and\nadding the appropriate __le32_to_cpu() conversions prior to consuming\nthe instruction encoding. The core uprobes copies these fields as opaque\nranges of bytes, and so is unaffected by this change.\n\nAt the same time, remove MAX_UINSN_BYTES and consistently use\nAARCH64_INSN_SIZE for clarity.\n\nTested with the following:\n\n| #include <stdio.h>\n| #include <stdbool.h>\n|\n| #define noinline __attribute__((noinline))\n|\n| static noinline void *adrp_self(void)\n| {\n|         void *addr;\n|\n|         asm volatile(\n|         \"       adrp    %x0, adrp_self\\n\"\n|         \"       add     %x0, %x0, :lo12:adrp_self\\n\"\n|         : \"=r\" (addr));\n| }\n|\n|\n| int main(int argc, char *argv)\n| {\n|         void *ptr = adrp_self();\n|         bool equal = (ptr == adrp_self);\n|\n|         printf(\"adrp_self   => %p\\n\"\n|                \"adrp_self() => %p\\n\"\n|                \"%s\\n\",\n|                adrp_self, ptr, equal ? \"EQUAL\" : \"NOT EQUAL\");\n|\n|         return 0;\n| }\n\n.... where the adrp_self() function was compiled to:\n\n| 00000000004007e0 <adrp_self>:\n|   4007e0:       90000000        adrp    x0, 400000 <__ehdr_start>\n|   4007e4:       911f8000        add     x0, x0, #0x7e0\n|   4007e8:       d65f03c0        ret\n\nBefore this patch, the ADRP is not recognized, and is assumed to be\nsteppable, resulting in corruption of the result:\n\n| # ./adrp-self\n| adrp_self   => 0x4007e0\n| adrp_self() => 0x4007e0\n| EQUAL\n| # echo 'p /root/adrp-self:0x007e0' > /sys/kernel/tracing/uprobe_events\n| # echo 1 > /sys/kernel/tracing/events/uprobes/enable\n| # ./adrp-self\n| adrp_self   => 0x4007e0\n| adrp_self() => 0xffffffffff7e0\n| NOT EQUAL\n\nAfter this patch, the ADRP is correctly recognized and simulated:\n\n| # ./adrp-self\n| adrp_self   => 0x4007e0\n| adrp_self() => 0x4007e0\n| EQUAL\n| #\n| # echo 'p /root/adrp-self:0x007e0' > /sys/kernel/tracing/uprobe_events\n| # echo 1 > /sys/kernel/tracing/events/uprobes/enable\n| # ./adrp-self\n| adrp_self   => 0x4007e0\n| adrp_self() => 0x4007e0\n| EQUAL"}],"affected":[{"product":"Linux","vendor":"Linux","defaultStatus":"unaffected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["arch/arm64/include/asm/uprobes.h","arch/arm64/kernel/probes/uprobes.c"],"versions":[{"version":"9842ceae9fa8deae141533d52a6ead7666962c09","lessThan":"b6a638cb600e13f94b5464724eaa6ab7f3349ca2","status":"affected","versionType":"git"},{"version":"9842ceae9fa8deae141533d52a6ead7666962c09","lessThan":"e6ab336213918575124d6db43dc5d3554526242e","status":"affected","versionType":"git"},{"version":"9842ceae9fa8deae141533d52a6ead7666962c09","lessThan":"cf9ddf9ed94c15564a05bbf6e9f18dffa0c7df80","status":"affected","versionType":"git"},{"version":"9842ceae9fa8deae141533d52a6ead7666962c09","lessThan":"cf60d19d40184e43d9a624e55a0da73be09e938d","status":"affected","versionType":"git"},{"version":"9842ceae9fa8deae141533d52a6ead7666962c09","lessThan":"14841bb7a531b96e2dde37423a3b33e75147c60d","status":"affected","versionType":"git"},{"version":"9842ceae9fa8deae141533d52a6ead7666962c09","lessThan":"8165bf83b8a64be801d59cd2532b0d1ffed74d00","status":"affected","versionType":"git"},{"version":"9842ceae9fa8deae141533d52a6ead7666962c09","lessThan":"3d2530c65be04e93720e30f191a7cf1a3aa8b51c","status":"affected","versionType":"git"},{"version":"9842ceae9fa8deae141533d52a6ead7666962c09","lessThan":"13f8f1e05f1dc36dbba6cba0ae03354c0dafcde7","status":"affected","versionType":"git"}]},{"product":"Linux","vendor":"Linux","defaultStatus":"affected","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","programFiles":["arch/arm64/include/asm/uprobes.h","arch/arm64/kernel/probes/uprobes.c"],"versions":[{"version":"4.10","status":"affected"},{"version":"0","lessThan":"4.10","status":"unaffected","versionType":"semver"},{"version":"4.19.323","lessThanOrEqual":"4.19.*","status":"unaffected","versionType":"semver"},{"version":"5.4.285","lessThanOrEqual":"5.4.*","status":"unaffected","versionType":"semver"},{"version":"5.10.229","lessThanOrEqual":"5.10.*","status":"unaffected","versionType":"semver"},{"version":"5.15.170","lessThanOrEqual":"5.15.*","status":"unaffected","versionType":"semver"},{"version":"6.1.115","lessThanOrEqual":"6.1.*","status":"unaffected","versionType":"semver"},{"version":"6.6.58","lessThanOrEqual":"6.6.*","status":"unaffected","versionType":"semver"},{"version":"6.11.5","lessThanOrEqual":"6.11.*","status":"unaffected","versionType":"semver"},{"version":"6.12","lessThanOrEqual":"*","status":"unaffected","versionType":"original_commit_for_fix"}]}],"cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.10","versionEndExcluding":"4.19.323"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.10","versionEndExcluding":"5.4.285"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.10","versionEndExcluding":"5.10.229"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.10","versionEndExcluding":"5.15.170"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.10","versionEndExcluding":"6.1.115"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.10","versionEndExcluding":"6.6.58"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.10","versionEndExcluding":"6.11.5"},{"vulnerable":true,"criteria":"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*","versionStartIncluding":"4.10","versionEndExcluding":"6.12"}]}]}],"references":[{"url":"https://git.kernel.org/stable/c/b6a638cb600e13f94b5464724eaa6ab7f3349ca2"},{"url":"https://git.kernel.org/stable/c/e6ab336213918575124d6db43dc5d3554526242e"},{"url":"https://git.kernel.org/stable/c/cf9ddf9ed94c15564a05bbf6e9f18dffa0c7df80"},{"url":"https://git.kernel.org/stable/c/cf60d19d40184e43d9a624e55a0da73be09e938d"},{"url":"https://git.kernel.org/stable/c/14841bb7a531b96e2dde37423a3b33e75147c60d"},{"url":"https://git.kernel.org/stable/c/8165bf83b8a64be801d59cd2532b0d1ffed74d00"},{"url":"https://git.kernel.org/stable/c/3d2530c65be04e93720e30f191a7cf1a3aa8b51c"},{"url":"https://git.kernel.org/stable/c/13f8f1e05f1dc36dbba6cba0ae03354c0dafcde7"}],"title":"arm64: probes: Fix uprobes for big-endian kernels","x_generator":{"engine":"bippy-1.2.0"}},"adp":[{"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":5.5,"attackVector":"LOCAL","baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H","integrityImpact":"NONE","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"HIGH","privilegesRequired":"LOW","confidentialityImpact":"NONE"}},{"other":{"type":"ssvc","content":{"id":"CVE-2024-50194","role":"CISA Coordinator","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"version":"2.0.3","timestamp":"2025-10-01T20:18:08.294530Z"}}}],"problemTypes":[{"descriptions":[{"lang":"en","type":"CWE","description":"CWE-noinfo Not enough information"}]}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-10-01T20:27:08.000Z"}},{"title":"CVE Program Container","references":[{"url":"https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"},{"url":"https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2025-11-03T22:26:49.079Z"}}]}}