CVE-2024-47728 in Linuxinfo

Summary

by MITRE • 10/21/2024

In the Linux kernel, the following vulnerability has been resolved:

bpf: Zero former ARG_PTR_TO_{LONG,INT} args in case of error

For all non-tracing helpers which formerly had ARG_PTR_TO_{LONG,INT} as input
arguments, zero the value for the case of an error as otherwise it could leak memory. For tracing, it is not needed given CAP_PERFMON can already read all kernel memory anyway hence bpf_get_func_arg() and bpf_get_func_ret() is skipped in here.

Also, the MTU helpers mtu_len pointer value is being written but also read. Technically, the MEM_UNINIT should not be there in order to always force init. Removing MEM_UNINIT needs more verifier rework though: MEM_UNINIT right now implies two things actually: i) write into memory, ii) memory does not have to be initialized. If we lift MEM_UNINIT, it then becomes: i) read into memory, ii) memory must be initialized. This means that for bpf_*_check_mtu() we're readding the issue we're trying to fix, that is, it would then be able to write back into things like .rodata BPF maps. Follow-up work will rework the MEM_UNINIT semantics such that the intent can be better expressed. For now just clear the *mtu_len on error path which can be lifted later again.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 01/19/2026

The vulnerability identified as CVE-2024-47728 resides within the Linux kernel's eBPF (extended Berkeley Packet Filter) subsystem, specifically addressing a memory leakage issue that occurs during error handling in BPF helper functions. This flaw affects the kernel's ability to properly manage memory when BPF programs encounter errors during execution, creating potential security risks through information disclosure. The issue manifests in non-tracing helper functions that previously utilized ARG_PTR_TO_{LONG,INT} as input arguments, where the kernel failed to properly zero memory values during error conditions, potentially allowing sensitive information to persist in memory locations that should be cleared.

The technical root cause of this vulnerability stems from improper memory management during error paths in BPF helper functions. When BPF programs execute helper functions that accept pointer arguments, the kernel must ensure that memory is properly initialized and cleared, especially when errors occur. The vulnerability specifically impacts helper functions that handle arguments of type ARG_PTR_TO_{LONG,INT}, where memory values are not properly zeroed when errors occur. This behavior creates a potential information disclosure vector, as residual data from previous operations could leak into memory locations that are subsequently accessed by other processes or kernel components. The flaw is classified under CWE-248, which addresses "Uncaught Exception," and more specifically relates to improper handling of memory in error conditions within kernel space.

The operational impact of CVE-2024-47728 extends beyond simple memory leakage, as it represents a potential avenue for attackers to gain insights into kernel memory structures and potentially exploit other vulnerabilities through information disclosure. The vulnerability affects BPF programs running in kernel space, which can be particularly concerning given the privileged nature of these operations. Attackers could potentially leverage this memory leakage to reconstruct sensitive information, understand kernel memory layout, or even aid in more sophisticated exploitation techniques. The issue is particularly relevant in environments where BPF programs are used extensively for network filtering, system monitoring, or security policy enforcement, as these programs often operate with elevated privileges and access to kernel memory.

The fix implemented addresses the vulnerability by ensuring that ARG_PTR_TO_{LONG,INT} arguments are properly zeroed in error cases for non-tracing helpers, preventing memory leakage that could expose sensitive data. The solution specifically targets the error handling path where memory values should be cleared to prevent information disclosure. Additionally, the patch addresses a related issue with MTU helpers where the mtu_len pointer value was being both written to and read from, creating potential for uninitialized memory access. The mitigation strategy involves clearing the mtu_len value on error paths, which prevents the leakage of potentially sensitive information while maintaining the functional integrity of BPF programs. This approach aligns with the ATT&CK technique T1550.001, which involves unauthorized access to kernel memory through privilege escalation or information disclosure vulnerabilities, and demonstrates the importance of proper memory management in kernel space operations. The solution also incorporates elements of the ATT&CK technique T1059.006, which involves execution through kernel modules, as BPF programs are often executed within kernel contexts and require careful memory management to prevent information leakage.

Responsible

Linux

Reservation

09/30/2024

Disclosure

10/21/2024

Moderation

accepted

CPE

ready

EPSS

0.00235

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!