Bug 2323904 (CVE-2024-50099) - CVE-2024-50099 kernel: arm64: probes: Remove broken LDR (literal) uprobe support
Summary: CVE-2024-50099 kernel: arm64: probes: Remove broken LDR (literal) uprobe support
Keywords:
Status: NEW
Alias: CVE-2024-50099
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2324054
Blocks:
TreeView+ depends on / blocked
 
Reported: 2024-11-05 18:01 UTC by OSIDB Bzimport
Modified: 2025-04-25 17:25 UTC (History)
4 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2024:10985 0 None None None 2024-12-12 08:55:22 UTC
Red Hat Product Errata RHBA-2024:11008 0 None None None 2024-12-12 16:41:02 UTC
Red Hat Product Errata RHBA-2024:11050 0 None None None 2024-12-16 01:16:09 UTC
Red Hat Product Errata RHBA-2025:0001 0 None None None 2025-01-01 07:22:59 UTC
Red Hat Product Errata RHBA-2025:0027 0 None None None 2025-01-02 18:13:44 UTC
Red Hat Product Errata RHSA-2024:10943 0 None None None 2024-12-11 01:09:13 UTC
Red Hat Product Errata RHSA-2024:10944 0 None None None 2024-12-11 00:38:50 UTC
Red Hat Product Errata RHSA-2024:11486 0 None None None 2024-12-19 00:43:17 UTC
Red Hat Product Errata RHSA-2025:2270 0 None None None 2025-03-05 02:39:41 UTC

Description OSIDB Bzimport 2024-11-05 18:01:18 UTC
In the Linux kernel, the following vulnerability has been resolved:

arm64: probes: Remove broken LDR (literal) uprobe support

The simulate_ldr_literal() and simulate_ldrsw_literal() functions are
unsafe to use for uprobes. Both functions were originally written for
use with kprobes, and access memory with plain C accesses. When uprobes
was added, these were reused unmodified even though they cannot safely
access user memory.

There are three key problems:

1) The plain C accesses do not have corresponding extable entries, and
   thus if they encounter a fault the kernel will treat these as
   unintentional accesses to user memory, resulting in a BUG() which
   will kill the kernel thread, and likely lead to further issues (e.g.
   lockup or panic()).

2) The plain C accesses are subject to HW PAN and SW PAN, and so when
   either is in use, any attempt to simulate an access to user memory
   will fault. Thus neither simulate_ldr_literal() nor
   simulate_ldrsw_literal() can do anything useful when simulating a
   user instruction on any system with HW PAN or SW PAN.

3) The plain C accesses are privileged, as they run in kernel context,
   and in practice can access a small range of kernel virtual addresses.
   The instructions they simulate have a range of +/-1MiB, and since the
   simulated instructions must itself be a user instructions in the
   TTBR0 address range, these can address the final 1MiB of the TTBR1
   acddress range by wrapping downwards from an address in the first
   1MiB of the TTBR0 address range.

   In contemporary kernels the last 8MiB of TTBR1 address range is
   reserved, and accesses to this will always fault, meaning this is no
   worse than (1).

   Historically, it was theoretically possible for the linear map or
   vmemmap to spill into the final 8MiB of the TTBR1 address range, but
   in practice this is extremely unlikely to occur as this would
   require either:

   * Having enough physical memory to fill the entire linear map all the
     way to the final 1MiB of the TTBR1 address range.

   * Getting unlucky with KASLR randomization of the linear map such
     that the populated region happens to overlap with the last 1MiB of
     the TTBR address range.

   ... and in either case if we were to spill into the final page there
   would be larger problems as the final page would alias with error
   pointers.

Practically speaking, (1) and (2) are the big issues. Given there have
been no reports of problems since the broken code was introduced, it
appears that no-one is relying on probing these instructions with
uprobes.

Avoid these issues by not allowing uprobes on LDR (literal) and LDRSW
(literal), limiting the use of simulate_ldr_literal() and
simulate_ldrsw_literal() to kprobes. Attempts to place uprobes on LDR
(literal) and LDRSW (literal) will be rejected as
arm_probe_decode_insn() will return INSN_REJECTED. In future we can
consider introducing working uprobes support for these instructions, but
this will require more significant work.

Comment 4 errata-xmlrpc 2024-12-11 00:38:49 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:10944 https://access.redhat.com/errata/RHSA-2024:10944

Comment 5 errata-xmlrpc 2024-12-11 01:09:12 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:10943 https://access.redhat.com/errata/RHSA-2024:10943

Comment 6 errata-xmlrpc 2024-12-19 00:43:16 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:11486 https://access.redhat.com/errata/RHSA-2024:11486

Comment 7 errata-xmlrpc 2025-03-05 02:39:39 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2025:2270 https://access.redhat.com/errata/RHSA-2025:2270


Note You need to log in before you can comment on or make changes to this bug.