CVE-2024-43840

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2024-43840
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-43840.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-43840
Downstream
Related
Published
2024-08-17T09:21:55.841Z
Modified
2026-03-20T12:38:49.547804Z
Summary
bpf, arm64: Fix trampoline for BPF_TRAMP_F_CALL_ORIG
Details

In the Linux kernel, the following vulnerability has been resolved:

bpf, arm64: Fix trampoline for BPFTRAMPFCALLORIG

When BPFTRAMPFCALLORIG is set, the trampoline calls __bpftrampenter() and __bpftrampexit() functions, passing them the struct bpftrampimage *im pointer as an argument in R0.

The trampoline generation code uses emitaddrmovi64() to emit instructions for moving the bpftrampimage address into R0, but emitaddrmovi64() assumes the address to be in the vmalloc() space and uses only 48 bits. Because bpftrampimage is allocated using kzalloc(), its address can use more than 48-bits, in this case the trampoline will pass an invalid address to __bpftrampenter/exit() causing a kernel crash.

Fix this by using emita64movi64() in place of emitaddrmovi64() as it can work with addresses that are greater than 48-bits.

Database specific 
{
    "cna_assigner": "Linux",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/43xxx/CVE-2024-43840.json"
}
References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type
GIT
Repo
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events
Introduced
efc9909fdce00a827a37609628223cd45bf95d0b
Fixed
077149478497b2f00ff4fd9da2c892defa6418d8
Fixed
d9664e6ff040798a46cdc5d401064f55b8676c83
Fixed
6d218fcc707d6b2c3616b6cd24b948fd4825cfec
Fixed
19d3c179a37730caf600a97fed3794feac2b197b

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-43840.json"