CVE-2024-50164 Overview
CVE-2024-50164 is a vulnerability in the Linux kernel's BPF (Berkeley Packet Filter) verifier that allows unauthorized memory writes due to the overloaded meaning of the MEM_UNINIT flag. The vulnerability exists in the check_mem_size_reg() function, where write checks are bypassed when the register containing the buffer size has a non-constant value. This flaw enables a BPF program to write to memory regions marked as read-only, including .rodata global maps.
Critical Impact
Local attackers with BPF program execution capabilities can bypass verifier write checks and modify read-only memory regions, potentially leading to data integrity compromise and system instability.
Affected Products
- Linux Kernel versions prior to patched releases
- Linux Kernel 6.12-rc1 through 6.12-rc4
- Various Linux distributions including Debian (see LTS security announcements)
Discovery Timeline
- 2024-11-07 - CVE-2024-50164 published to NVD
- 2025-11-03 - Last updated in NVD database
Technical Details for CVE-2024-50164
Vulnerability Analysis
This vulnerability stems from the semantic overloading of the MEM_UNINIT flag in the BPF verifier over time. Originally introduced in commit 435faee1aae9 to indicate that a buffer passed to a BPF helper does not need to be initialized, the flag's meaning evolved to also imply that the buffer is being written to. This dual interpretation creates a logical flaw in the verification process.
When the check_mem_size_reg() function encounters a register with a non-constant variable offset (var_off), it sets the meta pointer to NULL. This behavior was intended to force users to initialize buffers passed to helpers for unprivileged variable accesses. However, due to MEM_UNINIT's overloaded meaning, setting meta to NULL inadvertently bypasses the verifier's write checks while still performing boundary checks. The verifier then incorrectly assumes the memory is being read rather than written.
Root Cause
The root cause is the historical evolution of MEM_UNINIT's semantics without corresponding updates to all verification logic paths. The original meaning ("buffer does not need initialization") was conflated with "buffer is being written to" through subsequent commits, particularly 06c1c049721a ("bpf: allow helpers access to variable memory"). This created a situation where bypassing initialization requirements also bypassed write permission verification.
Attack Vector
An attacker with the ability to load and execute BPF programs can exploit this vulnerability through the following mechanism:
The attack requires local access with privileges sufficient to load BPF programs. The attacker crafts a BPF program that passes a buffer to a helper function with a non-constant size register. When the verifier processes this program, it sets meta to NULL, disabling write checks. The attacker can then target read-only memory regions such as .rodata global maps.
The fix involves separating the MEM_UNINIT flag back to its original meaning and introducing a new MEM_WRITE annotation for BPF helpers to explicitly trigger write verification checks. This ensures that buffer initialization requirements and write permission checks are handled independently.
Detection Methods for CVE-2024-50164
Indicators of Compromise
- Unexpected modifications to read-only BPF map regions, particularly .rodata global maps
- BPF programs loading with non-constant size arguments passed to helper functions
- Anomalous BPF verifier behavior or unexpected program acceptance
- System instability potentially caused by corruption of read-only kernel data structures
Detection Strategies
- Monitor BPF program loading events using kernel audit subsystem (auditd with BPF syscall rules)
- Implement runtime integrity monitoring for BPF maps marked as read-only
- Use kernel tracing tools (ftrace, perf) to track check_mem_size_reg() function calls with anomalous parameters
- Deploy endpoint detection solutions that can identify suspicious BPF activity patterns
Monitoring Recommendations
- Enable BPF-related audit rules to log all BPF program load and map operations
- Implement alerting for BPF programs that interact with global maps in unexpected ways
- Monitor for kernel log messages related to BPF verifier warnings or errors
- Consider deploying BPF LSM (Linux Security Module) hooks to enforce additional access controls on BPF operations
How to Mitigate CVE-2024-50164
Immediate Actions Required
- Update the Linux kernel to a patched version that includes the security fix
- Restrict BPF program loading capabilities using sysctl kernel.unprivileged_bpf_disabled=1
- Review and audit existing BPF programs for suspicious memory access patterns
- Monitor systems for signs of exploitation while patches are being deployed
Patch Information
The vulnerability has been addressed through multiple kernel commits that revert MEM_UNINIT to its original meaning and introduce MEM_WRITE as a separate annotation:
Debian users should refer to the Debian LTS Security Announcement for distribution-specific patches.
Workarounds
- Disable unprivileged BPF access system-wide to reduce the attack surface
- Implement strict access controls on who can load BPF programs using capabilities (CAP_BPF, CAP_SYS_ADMIN)
- Use container security profiles (seccomp, AppArmor) to restrict BPF syscall access
- Consider using BPF token-based authorization for fine-grained BPF access control
# Disable unprivileged BPF access
sysctl -w kernel.unprivileged_bpf_disabled=1
# Make the setting persistent across reboots
echo "kernel.unprivileged_bpf_disabled = 1" >> /etc/sysctl.d/99-bpf-hardening.conf
# Verify the setting
sysctl kernel.unprivileged_bpf_disabled
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
