fkie_cve-2024-50099
Vulnerability from fkie_nvd
Published
2024-11-05 18:15
Modified
2024-11-12 16:28
Severity ?
5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved: arm64: probes: Remove broken LDR (literal) uprobe support The simulate_ldr_literal() and simulate_ldrsw_literal() functions are unsafe to use for uprobes. Both functions were originally written for use with kprobes, and access memory with plain C accesses. When uprobes was added, these were reused unmodified even though they cannot safely access user memory. There are three key problems: 1) The plain C accesses do not have corresponding extable entries, and thus if they encounter a fault the kernel will treat these as unintentional accesses to user memory, resulting in a BUG() which will kill the kernel thread, and likely lead to further issues (e.g. lockup or panic()). 2) The plain C accesses are subject to HW PAN and SW PAN, and so when either is in use, any attempt to simulate an access to user memory will fault. Thus neither simulate_ldr_literal() nor simulate_ldrsw_literal() can do anything useful when simulating a user instruction on any system with HW PAN or SW PAN. 3) The plain C accesses are privileged, as they run in kernel context, and in practice can access a small range of kernel virtual addresses. The instructions they simulate have a range of +/-1MiB, and since the simulated instructions must itself be a user instructions in the TTBR0 address range, these can address the final 1MiB of the TTBR1 acddress range by wrapping downwards from an address in the first 1MiB of the TTBR0 address range. In contemporary kernels the last 8MiB of TTBR1 address range is reserved, and accesses to this will always fault, meaning this is no worse than (1). Historically, it was theoretically possible for the linear map or vmemmap to spill into the final 8MiB of the TTBR1 address range, but in practice this is extremely unlikely to occur as this would require either: * Having enough physical memory to fill the entire linear map all the way to the final 1MiB of the TTBR1 address range. * Getting unlucky with KASLR randomization of the linear map such that the populated region happens to overlap with the last 1MiB of the TTBR address range. ... and in either case if we were to spill into the final page there would be larger problems as the final page would alias with error pointers. Practically speaking, (1) and (2) are the big issues. Given there have been no reports of problems since the broken code was introduced, it appears that no-one is relying on probing these instructions with uprobes. Avoid these issues by not allowing uprobes on LDR (literal) and LDRSW (literal), limiting the use of simulate_ldr_literal() and simulate_ldrsw_literal() to kprobes. Attempts to place uprobes on LDR (literal) and LDRSW (literal) will be rejected as arm_probe_decode_insn() will return INSN_REJECTED. In future we can consider introducing working uprobes support for these instructions, but this will require more significant work.
References
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/20cde998315a3d2df08e26079a3ea7501abce6dbPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/3728b4eb27910ffedd173018279a970705f2e03aPatch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/9f1e7735474e7457a4d919a517900e46868ae5f6Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/acc450aa07099d071b18174c22a1119c57da8227Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/ad4bc35a6d22e9ff9b67d0d0c38bce654232f195Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/ae743deca78d9e4b7f4f60ad2f95e20e8ea057f9Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/bae792617a7e911477f67a3aff850ad4ddf51572Patch
416baaa9-dc9f-4396-8d5f-8c081fb06d67https://git.kernel.org/stable/c/cc86f2e9876c8b5300238cec6bf0bd8c842078eePatch
Impacted products
Vendor Product Version
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel *
linux linux_kernel 6.12
linux linux_kernel 6.12
linux linux_kernel 6.12


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "56700326-E491-4B17-B143-B939C5EC1DBE",
              "versionEndExcluding": "4.19.323",
              "versionStartIncluding": "4.10",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "B5A89369-320F-47FC-8695-56F61F87E4C0",
              "versionEndExcluding": "5.4.285",
              "versionStartIncluding": "4.20",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "9062315F-AB89-4ABE-8C13-B75927689F66",
              "versionEndExcluding": "5.10.228",
              "versionStartIncluding": "5.5",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "18BEDAD6-86F8-457C-952F-C35698B3D07F",
              "versionEndExcluding": "5.15.169",
              "versionStartIncluding": "5.11",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "10FD2B3E-C7D9-4A9C-BD64-41877EDF88EB",
              "versionEndExcluding": "6.1.114",
              "versionStartIncluding": "5.16",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "6B9489BC-825E-4EEE-8D93-F93C801988C8",
              "versionEndExcluding": "6.6.58",
              "versionStartIncluding": "6.2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "6E62D61A-F704-44DB-A311-17B7534DA7BC",
              "versionEndExcluding": "6.11.5",
              "versionStartIncluding": "6.7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.12:rc1:*:*:*:*:*:*",
              "matchCriteriaId": "7F361E1D-580F-4A2D-A509-7615F73167A1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.12:rc2:*:*:*:*:*:*",
              "matchCriteriaId": "925478D0-3E3D-4E6F-ACD5-09F28D5DF82C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:linux:linux_kernel:6.12:rc3:*:*:*:*:*:*",
              "matchCriteriaId": "3C95E234-D335-4B6C-96BF-E2CEBD8654ED",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: probes: Remove broken LDR (literal) uprobe support\n\nThe simulate_ldr_literal() and simulate_ldrsw_literal() functions are\nunsafe to use for uprobes. Both functions were originally written for\nuse with kprobes, and access memory with plain C accesses. When uprobes\nwas added, these were reused unmodified even though they cannot safely\naccess user memory.\n\nThere are three key problems:\n\n1) The plain C accesses do not have corresponding extable entries, and\n   thus if they encounter a fault the kernel will treat these as\n   unintentional accesses to user memory, resulting in a BUG() which\n   will kill the kernel thread, and likely lead to further issues (e.g.\n   lockup or panic()).\n\n2) The plain C accesses are subject to HW PAN and SW PAN, and so when\n   either is in use, any attempt to simulate an access to user memory\n   will fault. Thus neither simulate_ldr_literal() nor\n   simulate_ldrsw_literal() can do anything useful when simulating a\n   user instruction on any system with HW PAN or SW PAN.\n\n3) The plain C accesses are privileged, as they run in kernel context,\n   and in practice can access a small range of kernel virtual addresses.\n   The instructions they simulate have a range of +/-1MiB, and since the\n   simulated instructions must itself be a user instructions in the\n   TTBR0 address range, these can address the final 1MiB of the TTBR1\n   acddress range by wrapping downwards from an address in the first\n   1MiB of the TTBR0 address range.\n\n   In contemporary kernels the last 8MiB of TTBR1 address range is\n   reserved, and accesses to this will always fault, meaning this is no\n   worse than (1).\n\n   Historically, it was theoretically possible for the linear map or\n   vmemmap to spill into the final 8MiB of the TTBR1 address range, but\n   in practice this is extremely unlikely to occur as this would\n   require either:\n\n   * Having enough physical memory to fill the entire linear map all the\n     way to the final 1MiB of the TTBR1 address range.\n\n   * Getting unlucky with KASLR randomization of the linear map such\n     that the populated region happens to overlap with the last 1MiB of\n     the TTBR address range.\n\n   ... and in either case if we were to spill into the final page there\n   would be larger problems as the final page would alias with error\n   pointers.\n\nPractically speaking, (1) and (2) are the big issues. Given there have\nbeen no reports of problems since the broken code was introduced, it\nappears that no-one is relying on probing these instructions with\nuprobes.\n\nAvoid these issues by not allowing uprobes on LDR (literal) and LDRSW\n(literal), limiting the use of simulate_ldr_literal() and\nsimulate_ldrsw_literal() to kprobes. Attempts to place uprobes on LDR\n(literal) and LDRSW (literal) will be rejected as\narm_probe_decode_insn() will return INSN_REJECTED. In future we can\nconsider introducing working uprobes support for these instructions, but\nthis will require more significant work."
    },
    {
      "lang": "es",
      "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: arm64: sondas: Eliminar el soporte roto de uprobe LDR (literal). Las funciones simulation_ldr_literal() y simulation_ldrsw_literal() no son seguras para usar con uprobes. Ambas funciones se escribieron originalmente para usar con kprobes y acceder a la memoria con accesos C simples. Cuando se agreg\u00f3 uprobes, se reutilizaron sin modificar a pesar de que no pueden acceder de manera segura a la memoria del usuario. Hay tres problemas clave: 1) Los accesos C simples no tienen entradas extable correspondientes y, por lo tanto, si encuentran un fallo, el kernel los tratar\u00e1 como accesos no intencionales a la memoria del usuario, lo que resultar\u00e1 en un BUG() que matar\u00e1 el hilo del kernel y probablemente conducir\u00e1 a m\u00e1s problemas (por ejemplo, bloqueo o panic()). 2) Los accesos C simples est\u00e1n sujetos a HW PAN y SW PAN, y por lo tanto, cuando cualquiera de ellos est\u00e1 en uso, cualquier intento de simular un acceso a la memoria del usuario fallar\u00e1. Por lo tanto, ni simulation_ldr_literal() ni simulation_ldrsw_literal() pueden hacer nada \u00fatil al simular una instrucci\u00f3n de usuario en cualquier sistema con HW PAN o SW PAN. 3) Los accesos C simples son privilegiados, ya que se ejecutan en el contexto del n\u00facleo y, en la pr\u00e1ctica, pueden acceder a un peque\u00f1o rango de direcciones virtuales del n\u00facleo. Las instrucciones que simulan tienen un rango de +/-1 MiB y, dado que las instrucciones simuladas deben ser instrucciones de usuario en el rango de direcciones TTBR0, estas pueden direccionar el \u00faltimo MiB del rango de direcciones de TTBR1 envolviendo hacia abajo desde una direcci\u00f3n en el primer MiB del rango de direcciones TTBR0. En los n\u00facleos contempor\u00e1neos, los \u00faltimos 8 MiB del rango de direcciones TTBR1 est\u00e1n reservados y los accesos a estos siempre fallar\u00e1n, lo que significa que esto no es peor que (1). Hist\u00f3ricamente, era te\u00f3ricamente posible que el mapa lineal o vmemmap se derramara en los \u00faltimos 8 MiB del rango de direcciones TTBR1, pero en la pr\u00e1ctica esto es extremadamente improbable que ocurra ya que esto requerir\u00eda: * Tener suficiente memoria f\u00edsica para llenar todo el mapa lineal hasta el \u00faltimo 1 MiB del rango de direcciones TTBR1. * Tener mala suerte con la aleatorizaci\u00f3n KASLR del mapa lineal de modo que la regi\u00f3n poblada se superponga con el \u00faltimo 1 MiB del rango de direcciones TTBR. ... y en cualquier caso, si nos desbord\u00e1ramos en la p\u00e1gina final, habr\u00eda problemas m\u00e1s grandes ya que la p\u00e1gina final tendr\u00eda alias con punteros de error. Pr\u00e1cticamente hablando, (1) y (2) son los grandes problemas. Dado que no ha habido informes de problemas desde que se introdujo el c\u00f3digo roto, parece que nadie conf\u00eda en sondear estas instrucciones con uprobes. Evite estos problemas al no permitir uprobes en LDR (literal) y LDRSW (literal), y al limitar el uso de simulation_ldr_literal() y simulation_ldrsw_literal() a kprobes. Los intentos de colocar uprobes en LDR (literal) y LDRSW (literal) ser\u00e1n rechazados ya que arm_probe_decode_insn() devolver\u00e1 INSN_REJECTED. En el futuro, podemos considerar la introducci\u00f3n de compatibilidad con uprobes funcionales para estas instrucciones, pero esto requerir\u00e1 un trabajo m\u00e1s significativo."
    }
  ],
  "id": "CVE-2024-50099",
  "lastModified": "2024-11-12T16:28:30.633",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 5.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2024-11-05T18:15:13.690",
  "references": [
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/20cde998315a3d2df08e26079a3ea7501abce6db"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/3728b4eb27910ffedd173018279a970705f2e03a"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/9f1e7735474e7457a4d919a517900e46868ae5f6"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/acc450aa07099d071b18174c22a1119c57da8227"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/ad4bc35a6d22e9ff9b67d0d0c38bce654232f195"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/ae743deca78d9e4b7f4f60ad2f95e20e8ea057f9"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/bae792617a7e911477f67a3aff850ad4ddf51572"
    },
    {
      "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
      "tags": [
        "Patch"
      ],
      "url": "https://git.kernel.org/stable/c/cc86f2e9876c8b5300238cec6bf0bd8c842078ee"
    }
  ],
  "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-noinfo"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.