CVE-2024-50203

When BPFTRAMPFCALLORIG is enabled, the address of a bpftrampimage struct on the stack is passed during the size calculation pass and an address on the heap is passed during code generation. This may cause a heap buffer overflow if the heap address is tagged because emita64movi64() will emit longer code than it did during the size calculation pass. The same problem could occur without tag-based KASAN if one of the 16-bit words of the stack address happened to be all-ones during the size calculation pass. Fix the problem by assuming the worst case (4 instructions) when calculating the size of the bpftramp_image address emission.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/50xxx/CVE-2024-50203.json",
    "cna_assigner": "Linux"
}

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

077149478497b2f00ff4fd9da2c892defa6418d8

Fixed

9e80f366ebfdfafc685fe83a84c34f7ef01cbe88

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

d9664e6ff040798a46cdc5d401064f55b8676c83

Fixed

f521c2a0c0c4585f36d912bf62c852b88682c4f2

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

19d3c179a37730caf600a97fed3794feac2b197b

Fixed

7db1a2121f3c7903b8e397392beec563c3d00950

Fixed

a552e2ef5fd1a6c78267cd4ec5a9b49aa11bbb1c

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

6d218fcc707d6b2c3616b6cd24b948fd4825cfec

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-50203.json"