{
  "public_date" : "2024-11-05T00:00:00Z",
  "bugzilla" : {
    "description" : "kernel: arm64: probes: Remove broken LDR (literal) uprobe support",
    "id" : "2323904",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2323904"
  },
  "details" : [ "In the Linux kernel, the following vulnerability has been resolved:\narm64: probes: Remove broken LDR (literal) uprobe support\nThe simulate_ldr_literal() and simulate_ldrsw_literal() functions are\nunsafe to use for uprobes. Both functions were originally written for\nuse with kprobes, and access memory with plain C accesses. When uprobes\nwas added, these were reused unmodified even though they cannot safely\naccess user memory.\nThere are three key problems:\n1) The plain C accesses do not have corresponding extable entries, and\nthus if they encounter a fault the kernel will treat these as\nunintentional accesses to user memory, resulting in a BUG() which\nwill kill the kernel thread, and likely lead to further issues (e.g.\nlockup or panic()).\n2) The plain C accesses are subject to HW PAN and SW PAN, and so when\neither is in use, any attempt to simulate an access to user memory\nwill fault. Thus neither simulate_ldr_literal() nor\nsimulate_ldrsw_literal() can do anything useful when simulating a\nuser instruction on any system with HW PAN or SW PAN.\n3) The plain C accesses are privileged, as they run in kernel context,\nand in practice can access a small range of kernel virtual addresses.\nThe instructions they simulate have a range of +/-1MiB, and since the\nsimulated instructions must itself be a user instructions in the\nTTBR0 address range, these can address the final 1MiB of the TTBR1\nacddress range by wrapping downwards from an address in the first\n1MiB of the TTBR0 address range.\nIn contemporary kernels the last 8MiB of TTBR1 address range is\nreserved, and accesses to this will always fault, meaning this is no\nworse than (1).\nHistorically, it was theoretically possible for the linear map or\nvmemmap to spill into the final 8MiB of the TTBR1 address range, but\nin practice this is extremely unlikely to occur as this would\nrequire either:\n* Having enough physical memory to fill the entire linear map all the\nway to the final 1MiB of the TTBR1 address range.\n* Getting unlucky with KASLR randomization of the linear map such\nthat the populated region happens to overlap with the last 1MiB of\nthe TTBR address range.\n... and in either case if we were to spill into the final page there\nwould be larger problems as the final page would alias with error\npointers.\nPractically speaking, (1) and (2) are the big issues. Given there have\nbeen no reports of problems since the broken code was introduced, it\nappears that no-one is relying on probing these instructions with\nuprobes.\nAvoid these issues by not allowing uprobes on LDR (literal) and LDRSW\n(literal), limiting the use of simulate_ldr_literal() and\nsimulate_ldrsw_literal() to kprobes. Attempts to place uprobes on LDR\n(literal) and LDRSW (literal) will be rejected as\narm_probe_decode_insn() will return INSN_REJECTED. In future we can\nconsider introducing working uprobes support for these instructions, but\nthis will require more significant work." ],
  "statement" : "This CVE has been marked as Rejected by the assigning CNA.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2024-12-11T00:00:00Z",
    "advisory" : "RHSA-2024:10944",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv",
    "package" : "kernel-rt-0:4.18.0-553.32.1.rt7.373.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2024-12-11T00:00:00Z",
    "advisory" : "RHSA-2024:10943",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8",
    "package" : "kernel-0:4.18.0-553.32.1.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-12-19T00:00:00Z",
    "advisory" : "RHSA-2024:11486",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-503.19.1.el9_5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2024-12-19T00:00:00Z",
    "advisory" : "RHSA-2024:11486",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9",
    "package" : "kernel-0:5.14.0-503.19.1.el9_5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support",
    "release_date" : "2025-03-05T00:00:00Z",
    "advisory" : "RHSA-2025:2270",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.4",
    "package" : "kernel-0:5.14.0-427.57.1.el9_4"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Affected",
    "package_name" : "kernel-rt",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-50099\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-50099\nhttps://lore.kernel.org/linux-cve-announce/2024110526-CVE-2024-50099-1758@gregkh/T" ],
  "name" : "CVE-2024-50099",
  "csaw" : false
}