CVE-2024-43840

Name of the Vulnerable Software and Affected Versions Linux kernel (affected versions not specified)

Description The issue is related to the trampoline generation code in the Linux kernel when BPF TRAMP F CALL ORIG is set. The trampoline calls bpf tramp enter() and bpf tramp exit() functions, passing them the struct bpf tramp image *im pointer as an argument in R0. The problem arises because the emit addr mov i64() function assumes the address to be in the vmalloc() space and uses only 48 bits, but the bpf tramp image is allocated using kzalloc(), which can result in an address that uses more than 48 bits. This causes the trampoline to pass an invalid address to bpf tramp enter/exit(), leading to a kernel crash. The fix involves using emit a64 mov i64() in place of emit addr mov i64() to handle addresses greater than 48 bits.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.