CVE-2024-49861

In the Linux kernel, the following vulnerability has been resolved:

bpf: Fix helper writes to read-only maps

Lonial found an issue that despite user- and BPF-side frozen BPF map (like in case of .rodata), it was still possible to write into it from a BPF program side through specific helpers having ARGPTRTO_{LONG,INT} as arguments.

In checkfuncarg() when the argument is as mentioned, the meta->rawmode is never set. Later, checkhelpermemaccess(), under the case of PTRTOMAPVALUE as register base type, it assumes BPFREAD for the subsequent call to checkmapaccess_type() and given the BPF map is read-only it succeeds.

The helpers really need to be annotated as ARGPTRTO_{LONG,INT} | MEM_UNINIT when results are written into them as opposed to read out of them. The latter indicates that it's okay to pass a pointer to uninitialized memory as the memory is written to anyway.

However, ARGPTRTO_{LONG,INT} is a special case of ARGPTRTOFIXEDSIZEMEM just with additional alignment requirement. So it is better to just get rid of the ARGPTRTO{LONG,INT} special cases altogether and reuse the fixed size memory types. For this, add MEM_ALIGNED to additionally ensure alignment given these helpers write directly into the args via <ptr> = val. The .arg_size has been initialized reflecting the actual sizeof(*<ptr>).

MEMALIGNED can only be used in combination with MEMFIXEDSIZE annotated argument types, since in !MEMFIXED_SIZE cases the verifier does not know the buffer size a priori and therefore cannot blindly write *<ptr> = val.