{"id":"CVE-2024-50164","summary":"bpf: Fix overloading of MEM_UNINIT's meaning","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix overloading of MEM_UNINIT's meaning\n\nLonial reported an issue in the BPF verifier where check_mem_size_reg()\nhas the following code:\n\n    if (!tnum_is_const(reg-\u003evar_off))\n        /* For unprivileged variable accesses, disable raw\n         * mode so that the program is required to\n         * initialize all the memory that the helper could\n         * just partially fill up.\n         */\n         meta = NULL;\n\nThis means that writes are not checked when the register containing the\nsize of the passed buffer has not a fixed size. Through this bug, a BPF\nprogram can write to a map which is marked as read-only, for example,\n.rodata global maps.\n\nThe problem is that MEM_UNINIT's initial meaning that \"the passed buffer\nto the BPF helper does not need to be initialized\" which was added back\nin commit 435faee1aae9 (\"bpf, verifier: add ARG_PTR_TO_RAW_STACK type\")\ngot overloaded over time with \"the passed buffer is being written to\".\n\nThe problem however is that checks such as the above which were added later\nvia 06c1c049721a (\"bpf: allow helpers access to variable memory\") set meta\nto NULL in order force the user to always initialize the passed buffer to\nthe helper. Due to the current double meaning of MEM_UNINIT, this bypasses\nverifier write checks to the memory (not boundary checks though) and only\nassumes the latter memory is read instead.\n\nFix this by reverting MEM_UNINIT back to its original meaning, and having\nMEM_WRITE as an annotation to BPF helpers in order to then trigger the\nBPF verifier checks for writing to memory.\n\nSome notes: check_arg_pair_ok() ensures that for ARG_CONST_SIZE{,_OR_ZERO}\nwe can access fn-\u003earg_type[arg - 1] since it must contain a preceding\nARG_PTR_TO_MEM. For check_mem_reg() the meta argument can be removed\naltogether since we do check both BPF_READ and BPF_WRITE. Same for the\nequivalent check_kfunc_mem_size_reg().","modified":"2026-04-16T04:37:00.499480231Z","published":"2024-11-07T09:31:41.012Z","related":["USN-7276-1","USN-7277-1","openSUSE-SU-2024:14500-1","openSUSE-SU-2025:14705-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/50xxx/CVE-2024-50164.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/43f4df339a4d375bedcad29a61ae6f0ee7a048f8"},{"type":"WEB","url":"https://git.kernel.org/stable/c/48068ccaea957469f1adf78dfd2c1c9a7e18f0fe"},{"type":"WEB","url":"https://git.kernel.org/stable/c/54bc31682660810af1bed7ca7a19f182df8d3df8"},{"type":"WEB","url":"https://git.kernel.org/stable/c/8ea607330a39184f51737c6ae706db7fdca7628e"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/50xxx/CVE-2024-50164.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-50164"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"97e6d7dab1ca4648821c790a2b7913d6d5d549db"},{"fixed":"43f4df339a4d375bedcad29a61ae6f0ee7a048f8"},{"fixed":"48068ccaea957469f1adf78dfd2c1c9a7e18f0fe"},{"fixed":"54bc31682660810af1bed7ca7a19f182df8d3df8"},{"fixed":"8ea607330a39184f51737c6ae706db7fdca7628e"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0"},{"last_affected":"6099a6c8a749a5c8d5f8b4c4342022a92072a02b"},{"last_affected":"bfe25df63048edd4ceaf78a2fc755d5e2befc978"},{"last_affected":"717c39718dbc4f7ebcbb7b625fb11851cd9007fe"},{"last_affected":"5d0bba8232bf22ce13747cbfc8f696318ff01a50"},{"last_affected":"70674d11d14eeecad90be4b409a22b902112ba32"},{"last_affected":"a08d942ecbf46e23a192093f6983cb1d779f4fa8"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-50164.json"}}],"schema_version":"1.7.5"}