CVE-2024-49861: 
Linux Kernel vulnerability analysis and mitigation

CVE-2024-49861 is a security vulnerability discovered in the Linux kernel's BPF (Berkeley Packet Filter) subsystem. The issue was identified where despite user- and BPF-side frozen BPF map (such as in the case of .rodata), it was still possible to write into it from a BPF program side through specific helpers having ARGPTRTO_{LONG,INT} as arguments (Kernel Patch).

The vulnerability stems from a flaw in the checkfuncarg() function where when the argument is ARGPTRTO{LONG,INT}, the meta->rawmode is never set. In checkhelpermemaccess(), under the case of PTRTOMAPVALUE as register base type, it assumes BPFREAD for the subsequent call to checkmapaccesstype(), and given the BPF map is read-only, it succeeds incorrectly. This allows writing to read-only maps, which should not be permitted (Kernel Patch). The vulnerability has been assigned a CVSS v3.1 Base Score of 7.1 HIGH with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H (NVD).

The vulnerability affects the integrity and availability of the system by allowing unauthorized writes to read-only BPF maps. This could potentially lead to system integrity compromise and denial of service conditions (NVD).

The vulnerability has been fixed in multiple Linux kernel versions. The fix involves replacing ARGPTRTO{LONG,INT} special cases with fixed size memory types and adding MEMALIGNED to ensure proper alignment. The patch has been backported to various kernel versions including 5.2 through 6.6.54, 6.7 through 6.10.13, and 6.11 through 6.11.2 (NVD). The fix has also been included in security updates for various Linux distributions (Debian LTS, Ubuntu).