CVE-2024-47728

MEDIUM EPSS 14.4%
Published Oct 21, 20241y ago · Modified Jun 17, 20261w ago
5.5 CVSS 3.1
Medium
Find Similar
Published Oct 21, 2024 1y ago
Last Modified Jun 17, 2026 1w ago

Description

In the Linux kernel, the following vulnerability has been resolved: bpf: Zero former ARG_PTR_TO_{LONG,INT} args in case of error For all non-tracing helpers which formerly had ARG_PTR_TO_{LONG,INT} as input arguments, zero the value for the case of an error as otherwise it could leak memory. For tracing, it is not needed given CAP_PERFMON can already read all kernel memory anyway hence bpf_get_func_arg() and bpf_get_func_ret() is skipped in here. Also, the MTU helpers mtu_len pointer value is being written but also read. Technically, the MEM_UNINIT should not be there in order to always force init. Removing MEM_UNINIT needs more verifier rework though: MEM_UNINIT right now implies two things actually: i) write into memory, ii) memory does not have to be initialized. If we lift MEM_UNINIT, it then becomes: i) read into memory, ii) memory must be initialized. This means that for bpf_*_check_mtu() we're readding the issue we're trying to fix, that is, it would then be able to write back into things like .rodata BPF maps. Follow-up work will rework the MEM_UNINIT semantics such that the intent can be better expressed. For now just clear the *mtu_len on error path which can be lifted later again.

CVSS Details

Base Score
5.5
Exploitability
1.8
Impact
3.6
Vector string
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality None
Integrity None
Availability High

Threat Intelligence

EPSS Exploit Probability
14.4% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-459

Affected Products 4

VendorProductVersionRange
linuxlinux_kernel*≥5.2  –  <6.1.113
linuxlinux_kernel*≥6.2  –  <6.6.54
linuxlinux_kernel*≥6.7  –  <6.10.13
linuxlinux_kernel*≥6.11  –  <6.11.2

References 6

  • git.kernel.org https://git.kernel.org/stable/c/4b3786a6c5397dc220b1483d8e2f4867743e966f
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/594a9f5a8d2de2573a856e506f77ba7dd2cefc6a
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/599d15b6d03356a97bff7a76155c5604c42a2962
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/8397bf78988f3ae9dbebb0200189a62a57264980
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a634fa8e480ac2423f86311a602f6295df2c8ed0
    Patch
  • lists.debian.org https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html

Remediation

  • git.kernel.org https://git.kernel.org/stable/c/4b3786a6c5397dc220b1483d8e2f4867743e966f
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/594a9f5a8d2de2573a856e506f77ba7dd2cefc6a
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/599d15b6d03356a97bff7a76155c5604c42a2962
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/8397bf78988f3ae9dbebb0200189a62a57264980
    Patch
  • git.kernel.org https://git.kernel.org/stable/c/a634fa8e480ac2423f86311a602f6295df2c8ed0
    Patch