{"id":"CVE-2024-50194","summary":"arm64: probes: Fix uprobes for big-endian kernels","details":"In the Linux kernel, the following vulnerability has been resolved:\n\narm64: probes: Fix uprobes for big-endian kernels\n\nThe arm64 uprobes code is broken for big-endian kernels as it doesn't\nconvert the in-memory instruction encoding (which is always\nlittle-endian) into the kernel's native endianness before analyzing and\nsimulating instructions. This may result in a few distinct problems:\n\n* The kernel may may erroneously reject probing an instruction which can\n safely be probed.\n\n* The kernel may erroneously erroneously permit stepping an\n instruction out-of-line when that instruction cannot be stepped\n out-of-line safely.\n\n* The kernel may erroneously simulate instruction incorrectly dur to\n interpretting the byte-swapped encoding.\n\nThe endianness mismatch isn't caught by the compiler or sparse because:\n\n* The arch_uprobe::{insn,ixol} fields are encoded as arrays of u8, so\n the compiler and sparse have no idea these contain a little-endian\n 32-bit value. The core uprobes code populates these with a memcpy()\n which similarly does not handle endianness.\n\n* While the uprobe_opcode_t type is an alias for __le32, both\n arch_uprobe_analyze_insn() and arch_uprobe_skip_sstep() cast from u8[]\n to the similarly-named probe_opcode_t, which is an alias for u32.\n Hence there is no endianness conversion warning.\n\nFix this by changing the arch_uprobe::{insn,ixol} fields to __le32 and\nadding the appropriate __le32_to_cpu() conversions prior to consuming\nthe instruction encoding. The core uprobes copies these fields as opaque\nranges of bytes, and so is unaffected by this change.\n\nAt the same time, remove MAX_UINSN_BYTES and consistently use\nAARCH64_INSN_SIZE for clarity.\n\nTested with the following:\n\n| #include \u003cstdio.h\u003e\n| #include \u003cstdbool.h\u003e\n|\n| #define noinline __attribute__((noinline))\n|\n| static noinline void *adrp_self(void)\n| {\n| void *addr;\n|\n| asm volatile(\n| \" adrp %x0, adrp_self\\n\"\n| \" add %x0, %x0, :lo12:adrp_self\\n\"\n| : \"=r\" (addr));\n| }\n|\n|\n| int main(int argc, char *argv)\n| {\n| void *ptr = adrp_self();\n| bool equal = (ptr == adrp_self);\n|\n| printf(\"adrp_self =\u003e %p\\n\"\n| \"adrp_self() =\u003e %p\\n\"\n| \"%s\\n\",\n| adrp_self, ptr, equal ? \"EQUAL\" : \"NOT EQUAL\");\n|\n| return 0;\n| }\n\n.... where the adrp_self() function was compiled to:\n\n| 00000000004007e0 \u003cadrp_self\u003e:\n| 4007e0: 90000000 adrp x0, 400000 \u003c__ehdr_start\u003e\n| 4007e4: 911f8000 add x0, x0, #0x7e0\n| 4007e8: d65f03c0 ret\n\nBefore this patch, the ADRP is not recognized, and is assumed to be\nsteppable, resulting in corruption of the result:\n\n| # ./adrp-self\n| adrp_self =\u003e 0x4007e0\n| adrp_self() =\u003e 0x4007e0\n| EQUAL\n| # echo 'p /root/adrp-self:0x007e0' \u003e /sys/kernel/tracing/uprobe_events\n| # echo 1 \u003e /sys/kernel/tracing/events/uprobes/enable\n| # ./adrp-self\n| adrp_self =\u003e 0x4007e0\n| adrp_self() =\u003e 0xffffffffff7e0\n| NOT EQUAL\n\nAfter this patch, the ADRP is correctly recognized and simulated:\n\n| # ./adrp-self\n| adrp_self =\u003e 0x4007e0\n| adrp_self() =\u003e 0x4007e0\n| EQUAL\n| #\n| # echo 'p /root/adrp-self:0x007e0' \u003e /sys/kernel/tracing/uprobe_events\n| # echo 1 \u003e /sys/kernel/tracing/events/uprobes/enable\n| # ./adrp-self\n| adrp_self =\u003e 0x4007e0\n| adrp_self() =\u003e 0x4007e0\n| EQUAL","modified":"2026-04-02T12:21:20.208846Z","published":"2024-11-08T05:54:09.327Z","related":["SUSE-SU-2024:4314-1","SUSE-SU-2024:4315-1","SUSE-SU-2024:4316-1","SUSE-SU-2024:4318-1","SUSE-SU-2024:4364-1","SUSE-SU-2024:4367-1","SUSE-SU-2024:4376-1","SUSE-SU-2024:4387-1","SUSE-SU-2025:0035-1","SUSE-SU-2025:20163-1","SUSE-SU-2025:20164-1","SUSE-SU-2025:20246-1","SUSE-SU-2025:20247-1","USN-7276-1","USN-7277-1","openSUSE-SU-2024:14500-1","openSUSE-SU-2025:14705-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/50xxx/CVE-2024-50194.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/13f8f1e05f1dc36dbba6cba0ae03354c0dafcde7"},{"type":"WEB","url":"https://git.kernel.org/stable/c/14841bb7a531b96e2dde37423a3b33e75147c60d"},{"type":"WEB","url":"https://git.kernel.org/stable/c/3d2530c65be04e93720e30f191a7cf1a3aa8b51c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/8165bf83b8a64be801d59cd2532b0d1ffed74d00"},{"type":"WEB","url":"https://git.kernel.org/stable/c/b6a638cb600e13f94b5464724eaa6ab7f3349ca2"},{"type":"WEB","url":"https://git.kernel.org/stable/c/cf60d19d40184e43d9a624e55a0da73be09e938d"},{"type":"WEB","url":"https://git.kernel.org/stable/c/cf9ddf9ed94c15564a05bbf6e9f18dffa0c7df80"},{"type":"WEB","url":"https://git.kernel.org/stable/c/e6ab336213918575124d6db43dc5d3554526242e"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/50xxx/CVE-2024-50194.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-50194"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"9842ceae9fa8deae141533d52a6ead7666962c09"},{"fixed":"b6a638cb600e13f94b5464724eaa6ab7f3349ca2"},{"fixed":"e6ab336213918575124d6db43dc5d3554526242e"},{"fixed":"cf9ddf9ed94c15564a05bbf6e9f18dffa0c7df80"},{"fixed":"cf60d19d40184e43d9a624e55a0da73be09e938d"},{"fixed":"14841bb7a531b96e2dde37423a3b33e75147c60d"},{"fixed":"8165bf83b8a64be801d59cd2532b0d1ffed74d00"},{"fixed":"3d2530c65be04e93720e30f191a7cf1a3aa8b51c"},{"fixed":"13f8f1e05f1dc36dbba6cba0ae03354c0dafcde7"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-50194.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}]}