CVE-2024-49861

Name of the Vulnerable Software and Affected Versions: Linux kernel versions prior to 6.6.58

Description: A vulnerability has been found in the Linux kernel where specific helpers with ARG PTR TO {LONG,INT} as arguments can write into read-only BPF maps from the BPF program side. This occurs because the meta->raw mode is never set in check func arg() when the argument is as mentioned, and check helper mem access() assumes BPF READ for the subsequent call to check map access type(), allowing the write operation to succeed. The issue arises from the helpers not being annotated as ARG PTR TO {LONG,INT} | MEM UNINIT when results are written into them. To fix this, the ARG PTR TO {LONG,INT} special cases are removed, and MEM ALIGNED is added to ensure alignment.

Recommendations: For Linux kernel versions prior to 6.6.58, update to version 6.6.58 or later to resolve the issue. As a temporary workaround, consider restricting access to read-only BPF maps to minimize the risk of exploitation. Avoid using helpers with ARG PTR TO {LONG,INT} as arguments in BPF programs until the issue is resolved.