{ "id": "CVE-2024-43840", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "published": "2024-08-17T10:15:09.517", "lastModified": "2024-10-29T16:25:29.913", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [ { "lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, arm64: Fix trampoline for BPF_TRAMP_F_CALL_ORIG\n\nWhen BPF_TRAMP_F_CALL_ORIG is set, the trampoline calls\n__bpf_tramp_enter() and __bpf_tramp_exit() functions, passing them\nthe struct bpf_tramp_image *im pointer as an argument in R0.\n\nThe trampoline generation code uses emit_addr_mov_i64() to emit\ninstructions for moving the bpf_tramp_image address into R0, but\nemit_addr_mov_i64() assumes the address to be in the vmalloc() space\nand uses only 48 bits. Because bpf_tramp_image is allocated using\nkzalloc(), its address can use more than 48-bits, in this case the\ntrampoline will pass an invalid address to __bpf_tramp_enter/exit()\ncausing a kernel crash.\n\nFix this by using emit_a64_mov_i64() in place of emit_addr_mov_i64()\nas it can work with addresses that are greater than 48-bits." }, { "lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: bpf, arm64: Reparar trampol\u00edn para BPF_TRAMP_F_CALL_ORIG Cuando BPF_TRAMP_F_CALL_ORIG est\u00e1 configurado, el trampol\u00edn llama a las funciones __bpf_tramp_enter() y __bpf_tramp_exit(), pas\u00e1ndoles el puntero struct bpf_tramp_image *im como argumento en R0 . El c\u00f3digo de generaci\u00f3n de trampol\u00edn usa emit_addr_mov_i64() para emitir instrucciones para mover la direcci\u00f3n bpf_tramp_image a R0, pero emit_addr_mov_i64() asume que la direcci\u00f3n est\u00e1 en el espacio vmalloc() y usa solo 48 bits. Debido a que bpf_tramp_image se asigna usando kzalloc(), su direcci\u00f3n puede usar m\u00e1s de 48 bits, en este caso el trampol\u00edn pasar\u00e1 una direcci\u00f3n no v\u00e1lida a __bpf_tramp_enter/exit() provocando un bloqueo del kernel. Solucione este problema utilizando emit_a64_mov_i64() en lugar de emit_addr_mov_i64(), ya que puede funcionar con direcciones superiores a 48 bits." } ], "metrics": { "cvssMetricV31": [ { "source": "nvd@nist.gov", "type": "Primary", "cvssData": { "version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH" }, "exploitabilityScore": 1.8, "impactScore": 3.6 } ] }, "weaknesses": [ { "source": "nvd@nist.gov", "type": "Primary", "description": [ { "lang": "en", "value": "NVD-CWE-noinfo" } ] } ], "configurations": [ { "nodes": [ { "operator": "OR", "negate": false, "cpeMatch": [ { "vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.0", "versionEndExcluding": "6.10.3", "matchCriteriaId": "10A3C375-FFAF-4092-9FFF-0DE81E7DCE63" } ] } ] } ], "references": [ { "url": "https://git.kernel.org/stable/c/19d3c179a37730caf600a97fed3794feac2b197b", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": [ "Patch" ] }, { "url": "https://git.kernel.org/stable/c/6d218fcc707d6b2c3616b6cd24b948fd4825cfec", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "tags": [ "Patch" ] } ] }