CVE-2024-49861

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: Fix helper writes to read-only maps<br /> <br /> Lonial found an issue that despite user- and BPF-side frozen BPF map<br /> (like in case of .rodata), it was still possible to write into it from<br /> a BPF program side through specific helpers having ARG_PTR_TO_{LONG,INT}<br /> as arguments.<br /> <br /> In check_func_arg() when the argument is as mentioned, the meta-&gt;raw_mode<br /> is never set. Later, check_helper_mem_access(), under the case of<br /> PTR_TO_MAP_VALUE as register base type, it assumes BPF_READ for the<br /> subsequent call to check_map_access_type() and given the BPF map is<br /> read-only it succeeds.<br /> <br /> The helpers really need to be annotated as ARG_PTR_TO_{LONG,INT} | MEM_UNINIT<br /> when results are written into them as opposed to read out of them. The<br /> latter indicates that it&amp;#39;s okay to pass a pointer to uninitialized memory<br /> as the memory is written to anyway.<br /> <br /> However, ARG_PTR_TO_{LONG,INT} is a special case of ARG_PTR_TO_FIXED_SIZE_MEM<br /> just with additional alignment requirement. So it is better to just get<br /> rid of the ARG_PTR_TO_{LONG,INT} special cases altogether and reuse the<br /> fixed size memory types. For this, add MEM_ALIGNED to additionally ensure<br /> alignment given these helpers write directly into the args via * = val.<br /> The .arg*_size has been initialized reflecting the actual sizeof(*).<br /> <br /> MEM_ALIGNED can only be used in combination with MEM_FIXED_SIZE annotated<br /> argument types, since in !MEM_FIXED_SIZE cases the verifier does not know<br /> the buffer size a priori and therefore cannot blindly write * = val.