CVE-2024-50099: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: arm64: probes: Remove broken LDR (literal) uprobe support The simulate_ldr_literal() and simulate_ldrsw_literal() functions are unsafe to use for uprobes. Both functions were originally written for use with kprobes, and access memory with plain C accesses. When uprobes was added, these were reused unmodified even though they cannot safely access user memory. There are three key problems: 1) The plain C accesses do not have corresponding extable entries, and thus if they encounter a fault the kernel will treat these as unintentional accesses to user memory, resulting in a BUG() which will kill the kernel thread, and likely lead to further issues (e.g. lockup or panic()). 2) The plain C accesses are subject to HW PAN and SW PAN, and so when either is in use, any attempt to simulate an access to user memory will fault. Thus neither simulate_ldr_literal() nor simulate_ldrsw_literal() can do anything useful when simulating a user instruction on any system with HW PAN or SW PAN. 3) The plain C accesses are privileged, as they run in kernel context, and in practice can access a small range of kernel virtual addresses. The instructions they simulate have a range of +/-1MiB, and since the simulated instructions must itself be a user instructions in the TTBR0 address range, these can address the final 1MiB of the TTBR1 acddress range by wrapping downwards from an address in the first 1MiB of the TTBR0 address range. In contemporary kernels the last 8MiB of TTBR1 address range is reserved, and accesses to this will always fault, meaning this is no worse than (1). Historically, it was theoretically possible for the linear map or vmemmap to spill into the final 8MiB of the TTBR1 address range, but in practice this is extremely unlikely to occur as this would require either: * Having enough physical memory to fill the entire linear map all the way to the final 1MiB of the TTBR1 address range. * Getting unlucky with KASLR randomization of the linear map such that the populated region happens to overlap with the last 1MiB of the TTBR address range. ... and in either case if we were to spill into the final page there would be larger problems as the final page would alias with error pointers. Practically speaking, (1) and (2) are the big issues. Given there have been no reports of problems since the broken code was introduced, it appears that no-one is relying on probing these instructions with uprobes. Avoid these issues by not allowing uprobes on LDR (literal) and LDRSW (literal), limiting the use of simulate_ldr_literal() and simulate_ldrsw_literal() to kprobes. Attempts to place uprobes on LDR (literal) and LDRSW (literal) will be rejected as arm_probe_decode_insn() will return INSN_REJECTED. In future we can consider introducing working uprobes support for these instructions, but this will require more significant work.
AI Analysis
Technical Summary
CVE-2024-50099 addresses a vulnerability in the Linux kernel specifically affecting the arm64 architecture's uprobes implementation. Uprobes are a kernel feature used for dynamic tracing of user-space applications by placing probes on user instructions. The vulnerability arises from the reuse of functions simulate_ldr_literal() and simulate_ldrsw_literal(), originally designed for kprobes (kernel probes), which perform plain C memory accesses without proper exception table (extable) entries. These functions are unsafe for uprobes because they attempt to access user memory directly in kernel context without the necessary fault handling mechanisms. This leads to three main issues: (1) If a fault occurs during these memory accesses, the kernel treats it as an unintended user memory access and triggers a BUG(), killing the kernel thread and potentially causing system instability or panic. (2) The accesses are subject to hardware and software Privileged Access Never (PAN) protections, which cause faults when simulating user instructions on systems with PAN enabled, rendering these functions ineffective for uprobes. (3) The privileged kernel context accesses can potentially address kernel virtual memory ranges due to address wrapping, though modern kernels mitigate this by reserving the last 8MiB of the TTBR1 address range to always fault, preventing exploitation. Historically, some theoretical risks existed if the linear map or vmemmap spilled into this reserved range, but this is highly unlikely in practice. The practical impact is mainly the risk of kernel crashes or lockups when uprobes are placed on LDR (literal) and LDRSW (literal) instructions. Since no known reports of exploitation or issues have surfaced since the introduction of this broken code, it appears that these instructions are rarely probed with uprobes. The fix implemented rejects attempts to place uprobes on these instructions by returning INSN_REJECTED in arm_probe_decode_insn(), effectively disabling uprobes support for these instructions until a safer implementation is developed. This vulnerability highlights the risks of reusing kernel code without adapting it for different contexts, especially when dealing with user memory access and fault handling in kernel space.
Potential Impact
For European organizations running Linux on arm64 platforms—such as servers, embedded devices, or cloud infrastructure—the vulnerability could lead to kernel crashes or system instability if uprobes are used on the affected instructions. While no direct exploitation is known, the potential for denial-of-service (DoS) conditions exists if monitoring or debugging tools rely on uprobes for LDR (literal) or LDRSW (literal) instructions. This could disrupt critical services, especially in sectors with high availability requirements like finance, healthcare, and telecommunications. The inability to safely probe these instructions may also limit debugging and performance monitoring capabilities, impacting incident response and system diagnostics. However, the overall risk is mitigated by the kernel's rejection of such uprobes and the rarity of their use in practice. European organizations using arm64 Linux kernels should be aware of this limitation and the potential for kernel instability if attempting unsupported uprobes. The vulnerability does not appear to allow privilege escalation or remote code execution, limiting its impact primarily to local debugging scenarios.
Mitigation Recommendations
European organizations should ensure their Linux kernels are updated to versions that include the fix rejecting uprobes on LDR (literal) and LDRSW (literal) instructions. System administrators and developers should audit and avoid placing uprobes on these instructions in their tracing or debugging tools. If custom uprobes are used, validate that arm_probe_decode_insn() rejects unsupported instructions to prevent kernel crashes. For environments requiring advanced tracing, consider alternative tracing mechanisms such as kprobes or eBPF-based tools that do not rely on uprobes for these instructions. Additionally, monitor kernel logs for BUG() messages or kernel thread terminations that may indicate attempts to probe unsupported instructions. For critical systems, implement kernel crash recovery mechanisms and maintain up-to-date backups to minimize downtime. Finally, coordinate with Linux distribution vendors to receive timely patches and advisories related to this vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Norway, Denmark, Italy, Spain
CVE-2024-50099: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: arm64: probes: Remove broken LDR (literal) uprobe support The simulate_ldr_literal() and simulate_ldrsw_literal() functions are unsafe to use for uprobes. Both functions were originally written for use with kprobes, and access memory with plain C accesses. When uprobes was added, these were reused unmodified even though they cannot safely access user memory. There are three key problems: 1) The plain C accesses do not have corresponding extable entries, and thus if they encounter a fault the kernel will treat these as unintentional accesses to user memory, resulting in a BUG() which will kill the kernel thread, and likely lead to further issues (e.g. lockup or panic()). 2) The plain C accesses are subject to HW PAN and SW PAN, and so when either is in use, any attempt to simulate an access to user memory will fault. Thus neither simulate_ldr_literal() nor simulate_ldrsw_literal() can do anything useful when simulating a user instruction on any system with HW PAN or SW PAN. 3) The plain C accesses are privileged, as they run in kernel context, and in practice can access a small range of kernel virtual addresses. The instructions they simulate have a range of +/-1MiB, and since the simulated instructions must itself be a user instructions in the TTBR0 address range, these can address the final 1MiB of the TTBR1 acddress range by wrapping downwards from an address in the first 1MiB of the TTBR0 address range. In contemporary kernels the last 8MiB of TTBR1 address range is reserved, and accesses to this will always fault, meaning this is no worse than (1). Historically, it was theoretically possible for the linear map or vmemmap to spill into the final 8MiB of the TTBR1 address range, but in practice this is extremely unlikely to occur as this would require either: * Having enough physical memory to fill the entire linear map all the way to the final 1MiB of the TTBR1 address range. * Getting unlucky with KASLR randomization of the linear map such that the populated region happens to overlap with the last 1MiB of the TTBR address range. ... and in either case if we were to spill into the final page there would be larger problems as the final page would alias with error pointers. Practically speaking, (1) and (2) are the big issues. Given there have been no reports of problems since the broken code was introduced, it appears that no-one is relying on probing these instructions with uprobes. Avoid these issues by not allowing uprobes on LDR (literal) and LDRSW (literal), limiting the use of simulate_ldr_literal() and simulate_ldrsw_literal() to kprobes. Attempts to place uprobes on LDR (literal) and LDRSW (literal) will be rejected as arm_probe_decode_insn() will return INSN_REJECTED. In future we can consider introducing working uprobes support for these instructions, but this will require more significant work.
AI-Powered Analysis
Technical Analysis
CVE-2024-50099 addresses a vulnerability in the Linux kernel specifically affecting the arm64 architecture's uprobes implementation. Uprobes are a kernel feature used for dynamic tracing of user-space applications by placing probes on user instructions. The vulnerability arises from the reuse of functions simulate_ldr_literal() and simulate_ldrsw_literal(), originally designed for kprobes (kernel probes), which perform plain C memory accesses without proper exception table (extable) entries. These functions are unsafe for uprobes because they attempt to access user memory directly in kernel context without the necessary fault handling mechanisms. This leads to three main issues: (1) If a fault occurs during these memory accesses, the kernel treats it as an unintended user memory access and triggers a BUG(), killing the kernel thread and potentially causing system instability or panic. (2) The accesses are subject to hardware and software Privileged Access Never (PAN) protections, which cause faults when simulating user instructions on systems with PAN enabled, rendering these functions ineffective for uprobes. (3) The privileged kernel context accesses can potentially address kernel virtual memory ranges due to address wrapping, though modern kernels mitigate this by reserving the last 8MiB of the TTBR1 address range to always fault, preventing exploitation. Historically, some theoretical risks existed if the linear map or vmemmap spilled into this reserved range, but this is highly unlikely in practice. The practical impact is mainly the risk of kernel crashes or lockups when uprobes are placed on LDR (literal) and LDRSW (literal) instructions. Since no known reports of exploitation or issues have surfaced since the introduction of this broken code, it appears that these instructions are rarely probed with uprobes. The fix implemented rejects attempts to place uprobes on these instructions by returning INSN_REJECTED in arm_probe_decode_insn(), effectively disabling uprobes support for these instructions until a safer implementation is developed. This vulnerability highlights the risks of reusing kernel code without adapting it for different contexts, especially when dealing with user memory access and fault handling in kernel space.
Potential Impact
For European organizations running Linux on arm64 platforms—such as servers, embedded devices, or cloud infrastructure—the vulnerability could lead to kernel crashes or system instability if uprobes are used on the affected instructions. While no direct exploitation is known, the potential for denial-of-service (DoS) conditions exists if monitoring or debugging tools rely on uprobes for LDR (literal) or LDRSW (literal) instructions. This could disrupt critical services, especially in sectors with high availability requirements like finance, healthcare, and telecommunications. The inability to safely probe these instructions may also limit debugging and performance monitoring capabilities, impacting incident response and system diagnostics. However, the overall risk is mitigated by the kernel's rejection of such uprobes and the rarity of their use in practice. European organizations using arm64 Linux kernels should be aware of this limitation and the potential for kernel instability if attempting unsupported uprobes. The vulnerability does not appear to allow privilege escalation or remote code execution, limiting its impact primarily to local debugging scenarios.
Mitigation Recommendations
European organizations should ensure their Linux kernels are updated to versions that include the fix rejecting uprobes on LDR (literal) and LDRSW (literal) instructions. System administrators and developers should audit and avoid placing uprobes on these instructions in their tracing or debugging tools. If custom uprobes are used, validate that arm_probe_decode_insn() rejects unsupported instructions to prevent kernel crashes. For environments requiring advanced tracing, consider alternative tracing mechanisms such as kprobes or eBPF-based tools that do not rely on uprobes for these instructions. Additionally, monitor kernel logs for BUG() messages or kernel thread terminations that may indicate attempts to probe unsupported instructions. For critical systems, implement kernel crash recovery mechanisms and maintain up-to-date backups to minimize downtime. Finally, coordinate with Linux distribution vendors to receive timely patches and advisories related to this vulnerability.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-10-21T19:36:19.945Z
- Cisa Enriched
- false
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9825c4522896dcbdff2f
Added to database: 5/21/2025, 9:08:53 AM
Last enriched: 6/28/2025, 5:11:30 PM
Last updated: 7/30/2025, 9:02:02 PM
Views: 10
Related Threats
CVE-2025-55286: CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer in vancluever z2d
HighCVE-2025-52621: CWE-346 Origin Validation Error in HCL Software BigFix SaaS Remediate
MediumCVE-2025-52620: CWE-20 Improper Input Validation in HCL Software BigFix SaaS Remediate
MediumCVE-2025-52619: CWE-209 Generation of Error Message Containing Sensitive Information in HCL Software BigFix SaaS Remediate
MediumCVE-2025-52618: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in HCL Software BigFix SaaS Remediate
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.