{"vulnerability": "CVE-2024-50194", "sightings": [{"uuid": "35163071-ce1c-4354-88ab-4d786b98f7d7", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-50194", "type": "seen", "source": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-226-07", "content": "", "creation_timestamp": "2025-08-14T10:00:00.000000Z"}, {"uuid": "4295d5df-7019-4017-bd11-8079286d66b1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2024-50194", "type": "published-proof-of-concept", "source": "https://t.me/cvedetector/10179", "content": "{\n  \"Source\": \"CVE FEED\",\n  \"Title\": \"CVE-2024-50194 - ARM Linux Big-Endian Uprobes Endianness Vulnerability\", \n  \"Content\": \"CVE ID : CVE-2024-50194 \nPublished : Nov. 8, 2024, 6:15 a.m. | 41\u00a0minutes ago \nDescription : In the Linux kernel, the following vulnerability has been resolved:  \n  \narm64: probes: Fix uprobes for big-endian kernels  \n  \nThe arm64 uprobes code is broken for big-endian kernels as it doesn't  \nconvert the in-memory instruction encoding (which is always  \nlittle-endian) into the kernel's native endianness before analyzing and  \nsimulating instructions. This may result in a few distinct problems:  \n  \n* The kernel may may erroneously reject probing an instruction which can  \n  safely be probed.  \n  \n* The kernel may erroneously erroneously permit stepping an  \n  instruction out-of-line when that instruction cannot be stepped  \n  out-of-line safely.  \n  \n* The kernel may erroneously simulate instruction incorrectly dur to  \n  interpretting the byte-swapped encoding.  \n  \nThe endianness mismatch isn't caught by the compiler or sparse because:  \n  \n* The arch_uprobe::{insn,ixol} fields are encoded as arrays of u8, so  \n  the compiler and sparse have no idea these contain a little-endian  \n  32-bit value. The core uprobes code populates these with a memcpy()  \n  which similarly does not handle endianness.  \n  \n* While the uprobe_opcode_t type is an alias for __le32, both  \n  arch_uprobe_analyze_insn() and arch_uprobe_skip_sstep() cast from u8[]  \n  to the similarly-named probe_opcode_t, which is an alias for u32.  \n  Hence there is no endianness conversion warning.  \n  \nFix this by changing the arch_uprobe::{insn,ixol} fields to __le32 and  \nadding the appropriate __le32_to_cpu() conversions prior to consuming  \nthe instruction encoding. The core uprobes copies these fields as opaque  \nranges of bytes, and so is unaffected by this change.  \n  \nAt the same time, remove MAX_UINSN_BYTES and consistently use  \nAARCH64_INSN_SIZE for clarity.  \n  \nTested with the following:  \n  \n| #include   \n| #include   \n|  \n| #define noinline __attribute__((noinline))  \n|  \n| static noinline void *adrp_self(void)  \n| {  \n|         void *addr;  \n|  \n|         asm volatile(  \n|         \"       adrp    %x0, adrp_self\\n\"  \n|         \"       add     %x0, %x0, :lo12:adrp_self\\n\"  \n|         : \"=r\" (addr));  \n| }  \n|  \n|  \n| int main(int argc, char *argv)  \n| {  \n|         void *ptr = adrp_self();  \n|         bool equal = (ptr == adrp_self);  \n|  \n|         printf(\"adrp_self   =&gt; %p\\n\"  \n|                \"adrp_self() =&gt; %p\\n\"  \n|                \"%s\\n\",  \n|                adrp_self, ptr, equal ? \"EQUAL\" : \"NOT EQUAL\");  \n|  \n|         return 0;  \n| }  \n  \n.... where the adrp_self() function was compiled to:  \n  \n| 00000000004007e0 :  \n|   4007e0:       90000000        adrp    x0, 400000 &lt;__ehdr_start|   4007e4:       911f8000        add     x0, x0, #0x7e0  \n|   4007e8:       d65f03c0        ret  \n  \nBefore this patch, the ADRP is not recognized, and is assumed to be  \nsteppable, resulting in corruption of the result:  \n  \n| # ./adrp-self  \n| adrp_self   =&gt; 0x4007e0  \n| adrp_self() =&gt; 0x4007e0  \n| EQUAL  \n| # echo 'p /root/adrp-self:0x007e0' &gt; /sys/kernel/tracing/uprobe_events  \n| # echo 1 &gt; /sys/kernel/tracing/events/uprobes/enable  \n| # ./adrp-self  \n| adrp_self   =&gt; 0x4007e0  \n| adrp_self() =&gt; 0xffffffffff7e0  \n| NOT EQUAL  \n  \nAfter this patch, the ADRP is correctly recognized and simulated:  \n  \n| # ./adrp-self  \n| adrp_self   =&gt; 0x4007e0  \n| adrp_self() =&gt; 0x4007e0  \n| EQUAL  \n| #  \n| # echo 'p /root/adrp-self:0x007e0' &gt; /sys/kernel/tracing/uprobe_events  \n| # echo 1 &gt; /sys/kernel/tracing/events/uprobes/enable  \n| # ./adrp-self  \n| adrp_self   =&gt; 0x4007e0  \n| adrp_self() =&gt; 0x4007e0  \n| EQUAL \nSeverity: 0.0 | NA \nVisit the link for more details, such as CVSS details, affected products, timeline, and more...\",\n  \"Detection Date\": \"08 Nov 2024\",\n  \"Type\": \"Vulnerability\"\n}\n\ud83d\udd39 t.me/cvedetector \ud83d\udd39", "creation_timestamp": "2024-11-08T07:59:55.000000Z"}]}