CVE-2024-43840

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf, arm64: Fix trampoline for BPF_TRAMP_F_CALL_ORIG<br /> <br /> When BPF_TRAMP_F_CALL_ORIG is set, the trampoline calls<br /> __bpf_tramp_enter() and __bpf_tramp_exit() functions, passing them<br /> the struct bpf_tramp_image *im pointer as an argument in R0.<br /> <br /> The trampoline generation code uses emit_addr_mov_i64() to emit<br /> instructions for moving the bpf_tramp_image address into R0, but<br /> emit_addr_mov_i64() assumes the address to be in the vmalloc() space<br /> and uses only 48 bits. Because bpf_tramp_image is allocated using<br /> kzalloc(), its address can use more than 48-bits, in this case the<br /> trampoline will pass an invalid address to __bpf_tramp_enter/exit()<br /> causing a kernel crash.<br /> <br /> Fix this by using emit_a64_mov_i64() in place of emit_addr_mov_i64()<br /> as it can work with addresses that are greater than 48-bits.