cve/published/2024/CVE-2024-50203.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.2.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2024-50203: bpf, arm64: Fix address emission with tag-based KASAN enabled

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 bpf, arm64: Fix address emission with tag-based KASAN enabled

 When BPF_TRAMP_F_CALL_ORIG is enabled, the address of a bpf_tramp_image
 struct on the stack is passed during the size calculation pass and
 an address on the heap is passed during code generation. This may
 cause a heap buffer overflow if the heap address is tagged because
 emit_a64_mov_i64() will emit longer code than it did during the size
 calculation pass. The same problem could occur without tag-based
 KASAN if one of the 16-bit words of the stack address happened to
 be all-ones during the size calculation pass. Fix the problem by
 assuming the worst case (4 instructions) when calculating the size
 of the bpf_tramp_image address emission.

 The Linux kernel CVE team has assigned CVE-2024-50203 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.11 with commit 19d3c179a37730caf600a97fed3794feac2b197b and fixed in 6.11.6 with commit 7db1a2121f3c7903b8e397392beec563c3d00950
 	Issue introduced in 6.11 with commit 19d3c179a37730caf600a97fed3794feac2b197b and fixed in 6.12 with commit a552e2ef5fd1a6c78267cd4ec5a9b49aa11bbb1c
 	Issue introduced in 6.10.3 with commit 6d218fcc707d6b2c3616b6cd24b948fd4825cfec

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2024-50203
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	arch/arm64/net/bpf_jit_comp.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/9e80f366ebfdfafc685fe83a84c34f7ef01cbe88
 	https://git.kernel.org/stable/c/f521c2a0c0c4585f36d912bf62c852b88682c4f2
 	https://git.kernel.org/stable/c/7db1a2121f3c7903b8e397392beec563c3d00950
 	https://git.kernel.org/stable/c/a552e2ef5fd1a6c78267cd4ec5a9b49aa11bbb1c
	From bippy-1.2.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2024-50203: bpf, arm64: Fix address emission with tag-based KASAN enabled

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	bpf, arm64: Fix address emission with tag-based KASAN enabled

	When BPF_TRAMP_F_CALL_ORIG is enabled, the address of a bpf_tramp_image
	struct on the stack is passed during the size calculation pass and
	an address on the heap is passed during code generation. This may
	cause a heap buffer overflow if the heap address is tagged because
	emit_a64_mov_i64() will emit longer code than it did during the size
	calculation pass. The same problem could occur without tag-based
	KASAN if one of the 16-bit words of the stack address happened to
	be all-ones during the size calculation pass. Fix the problem by
	assuming the worst case (4 instructions) when calculating the size
	of the bpf_tramp_image address emission.

	The Linux kernel CVE team has assigned CVE-2024-50203 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.11 with commit 19d3c179a37730caf600a97fed3794feac2b197b and fixed in 6.11.6 with commit 7db1a2121f3c7903b8e397392beec563c3d00950
	Issue introduced in 6.11 with commit 19d3c179a37730caf600a97fed3794feac2b197b and fixed in 6.12 with commit a552e2ef5fd1a6c78267cd4ec5a9b49aa11bbb1c
	Issue introduced in 6.10.3 with commit 6d218fcc707d6b2c3616b6cd24b948fd4825cfec

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2024-50203
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	arch/arm64/net/bpf_jit_comp.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/9e80f366ebfdfafc685fe83a84c34f7ef01cbe88
	https://git.kernel.org/stable/c/f521c2a0c0c4585f36d912bf62c852b88682c4f2
	https://git.kernel.org/stable/c/7db1a2121f3c7903b8e397392beec563c3d00950
	https://git.kernel.org/stable/c/a552e2ef5fd1a6c78267cd4ec5a9b49aa11bbb1c