{
  "threat_severity" : "Moderate",
  "public_date" : "2024-10-28T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: uprobe: avoid out-of-bounds memory access of fetching args",
    "id" : "2322072",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2322072"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.3",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-787",
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\nuprobe: avoid out-of-bounds memory access of fetching args\nUprobe needs to fetch args into a percpu buffer, and then copy to ring\nbuffer to avoid non-atomic context problem.\nSometimes user-space strings, arrays can be very large, but the size of\npercpu buffer is only page size. And store_trace_args() won't check\nwhether these data exceeds a single page or not, caused out-of-bounds\nmemory access.\nIt could be reproduced by following steps:\n1. build kernel with CONFIG_KASAN enabled\n2. save follow program as test.c\n```\n\\#include <stdio.h>\n\\#include <stdlib.h>\n\\#include <string.h>\n// If string length large than MAX_STRING_SIZE, the fetch_store_strlen()\n// will return 0, cause __get_data_size() return shorter size, and\n// store_trace_args() will not trigger out-of-bounds access.\n// So make string length less than 4096.\n\\#define STRLEN 4093\nvoid generate_string(char *str, int n)\n{\nint i;\nfor (i = 0; i < n; ++i)\n{\nchar c = i % 26 + 'a';\nstr[i] = c;\n}\nstr[n-1] = '\\0';\n}\nvoid print_string(char *str)\n{\nprintf(\"%s\\n\", str);\n}\nint main()\n{\nchar tmp[STRLEN];\ngenerate_string(tmp, STRLEN);\nprint_string(tmp);\nreturn 0;\n}\n```\n3. compile program\n`gcc -o test test.c`\n4. get the offset of `print_string()`\n```\nobjdump -t test | grep -w print_string\n0000000000401199 g     F .text  000000000000001b              print_string\n```\n5. configure uprobe with offset 0x1199\n```\noff=0x1199\ncd /sys/kernel/debug/tracing/\necho \"p /root/test:${off} arg1=+0(%di):ustring arg2=\\$comm arg3=+0(%di):ustring\"\n> uprobe_events\necho 1 > events/uprobes/enable\necho 1 > tracing_on\n```\n6. run `test`, and kasan will report error.\n==================================================================\nBUG: KASAN: use-after-free in strncpy_from_user+0x1d6/0x1f0\nWrite of size 8 at addr ffff88812311c004 by task test/499CPU: 0 UID: 0 PID: 499 Comm: test Not tainted 6.12.0-rc3+ #18\nHardware name: Red Hat KVM, BIOS 1.16.0-4.al8 04/01/2014\nCall Trace:\n<TASK>\ndump_stack_lvl+0x55/0x70\nprint_address_description.constprop.0+0x27/0x310\nkasan_report+0x10f/0x120\n? strncpy_from_user+0x1d6/0x1f0\nstrncpy_from_user+0x1d6/0x1f0\n? rmqueue.constprop.0+0x70d/0x2ad0\nprocess_fetch_insn+0xb26/0x1470\n? __pfx_process_fetch_insn+0x10/0x10\n? _raw_spin_lock+0x85/0xe0\n? __pfx__raw_spin_lock+0x10/0x10\n? __pte_offset_map+0x1f/0x2d0\n? unwind_next_frame+0xc5f/0x1f80\n? arch_stack_walk+0x68/0xf0\n? is_bpf_text_address+0x23/0x30\n? kernel_text_address.part.0+0xbb/0xd0\n? __kernel_text_address+0x66/0xb0\n? unwind_get_return_address+0x5e/0xa0\n? __pfx_stack_trace_consume_entry+0x10/0x10\n? arch_stack_walk+0xa2/0xf0\n? _raw_spin_lock_irqsave+0x8b/0xf0\n? __pfx__raw_spin_lock_irqsave+0x10/0x10\n? depot_alloc_stack+0x4c/0x1f0\n? _raw_spin_unlock_irqrestore+0xe/0x30\n? stack_depot_save_flags+0x35d/0x4f0\n? kasan_save_stack+0x34/0x50\n? kasan_save_stack+0x24/0x50\n? mutex_lock+0x91/0xe0\n? __pfx_mutex_lock+0x10/0x10\nprepare_uprobe_buffer.part.0+0x2cd/0x500\nuprobe_dispatcher+0x2c3/0x6a0\n? __pfx_uprobe_dispatcher+0x10/0x10\n? __kasan_slab_alloc+0x4d/0x90\nhandler_chain+0xdd/0x3e0\nhandle_swbp+0x26e/0x3d0\n? __pfx_handle_swbp+0x10/0x10\n? uprobe_pre_sstep_notifier+0x151/0x1b0\nirqentry_exit_to_user_mode+0xe2/0x1b0\nasm_exc_int3+0x39/0x40\nRIP: 0033:0x401199\nCode: 01 c2 0f b6 45 fb 88 02 83 45 fc 01 8b 45 fc 3b 45 e4 7c b7 8b 45 e4 48 98 48 8d 50 ff 48 8b 45 e8 48 01 d0 ce\nRSP: 002b:00007ffdf00576a8 EFLAGS: 00000206\nRAX: 00007ffdf00576b0 RBX: 0000000000000000 RCX: 0000000000000ff2\nRDX: 0000000000000ffc RSI: 0000000000000ffd RDI: 00007ffdf00576b0\nRBP: 00007ffdf00586b0 R08: 00007feb2f9c0d20 R09: 00007feb2f9c0d20\nR10: 0000000000000001 R11: 0000000000000202 R12: 0000000000401040\nR13: 00007ffdf0058780 R14: 0000000000000000 R15: 0000000000000000\n</TASK>\nThis commit enforces the buffer's maxlen less than a page-size to avoid\nstore_trace_args() out-of-memory access.", "An out-of-bounds overflow vulnerability was found in the Linux kernel. When Uprobe needs to fetch args into a per-CPU buffer and then copy to a ring buffer, sometimes user-space strings and arrays can be very large, but the size of the per-CPU buffer is only page size and checking is not performed, so an overflow can occur. This can result in a loss of confidentiality, availability, and integrity" ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-05-13T00:00:00Z",
    "advisory" : "RHSA-2025:6966",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-570.12.1.el9_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-05-13T00:00:00Z",
    "advisory" : "RHSA-2025:6966",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-570.12.1.el9_6"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Out of support scope",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Will not fix",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Will not fix",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Will not fix",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-50067\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-50067\nhttps://lore.kernel.org/linux-cve-announce/2024102859-CVE-2024-50067-f7c0@gregkh/T" ],
  "name" : "CVE-2024-50067",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}