CVE-2024-43840 in Linuxinfo

Summary

by MITRE • 08/17/2024

In the Linux kernel, the following vulnerability has been resolved:

bpf, arm64: Fix trampoline for BPF_TRAMP_F_CALL_ORIG

When BPF_TRAMP_F_CALL_ORIG is set, the trampoline calls __bpf_tramp_enter() and __bpf_tramp_exit() functions, passing them the struct bpf_tramp_image *im pointer as an argument in R0.

The trampoline generation code uses emit_addr_mov_i64() to emit instructions for moving the bpf_tramp_image address into R0, but emit_addr_mov_i64() assumes the address to be in the vmalloc() space and uses only 48 bits. Because bpf_tramp_image is allocated using kzalloc(), its address can use more than 48-bits, in this case the trampoline will pass an invalid address to __bpf_tramp_enter/exit() causing a kernel crash.

Fix this by using emit_a64_mov_i64() in place of emit_addr_mov_i64() as it can work with addresses that are greater than 48-bits.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 02/02/2026

The vulnerability CVE-2024-43840 represents a critical kernel-level flaw in the Linux kernel's BPF (Berkeley Packet Filter) subsystem specifically affecting ARM64 architectures. This issue stems from improper address handling within the BPF trampoline mechanism that governs how BPF programs interact with kernel functions. When the BPF_TRAMP_F_CALL_ORIG flag is activated, the system employs trampolines to facilitate calls between BPF programs and original kernel functions, creating a complex execution pathway that requires precise memory addressing. The vulnerability manifests when the kernel attempts to pass a pointer to a bpf_tramp_image structure to the __bpf_tramp_enter() and __bpf_tramp_exit() functions, which are essential for managing the BPF execution context.

The technical root cause lies in the address resolution mechanism used during trampoline code generation. The kernel's emit_addr_mov_i64() function was designed with the assumption that all addresses would reside within the vmalloc() memory space, which is limited to 48-bit addressing. However, the bpf_tramp_image structures are allocated using kzalloc(), a kernel memory allocation function that can produce addresses exceeding the 48-bit limit imposed by vmalloc space. This mismatch creates a scenario where the trampoline code incorrectly handles addresses that extend beyond the 48-bit boundary, resulting in invalid memory references being passed to the critical kernel functions. This flaw directly relates to CWE-129, which addresses improper validation of buffer bounds, and CWE-787, concerning out-of-bounds write operations. The issue specifically impacts the ARM64 architecture where memory layout constraints differ from other platforms, making this vulnerability architecture-specific yet potentially exploitable for kernel crashes.

The operational impact of this vulnerability is severe as it can lead to immediate system instability and kernel crashes when BPF programs with the BPF_TRAMP_F_CALL_ORIG flag are executed. The crash occurs because the invalid address passed to __bpf_tramp_enter/exit() functions causes memory corruption or page faults that cannot be recovered from gracefully. This vulnerability affects systems running Linux kernels that support BPF on ARM64 platforms and can potentially be exploited by malicious actors to cause denial-of-service conditions or, in more sophisticated scenarios, to gain unauthorized access to kernel memory spaces. The vulnerability is particularly concerning because BPF is widely used for network filtering, security monitoring, and system performance analysis, meaning that exploitation could impact critical system functions. From an ATT&CK framework perspective, this vulnerability aligns with techniques involving privilege escalation and system resource exploitation, specifically targeting kernel-level memory management and process control mechanisms.

The fix implemented addresses this vulnerability by replacing the problematic emit_addr_mov_i64() function with emit_a64_mov_i64(), which is specifically designed to handle addresses exceeding the 48-bit limit imposed by vmalloc space. This change ensures that bpf_tramp_image structures, regardless of their actual memory location, can be properly referenced within the trampoline code. The solution maintains compatibility with existing BPF functionality while eliminating the address space limitation that caused the kernel crashes. System administrators should prioritize applying this patch to all affected ARM64 Linux systems, particularly those running BPF-based security tools or network monitoring applications. The fix demonstrates the importance of proper memory addressing considerations in kernel code, especially when dealing with different allocation mechanisms that may produce addresses outside standard assumptions. This vulnerability highlights the complexity of modern kernel architectures and the need for careful attention to memory management across different hardware platforms and allocation strategies.

Responsible

Linux

Reservation

08/17/2024

Disclosure

08/17/2024

Moderation

accepted

CPE

ready

EPSS

0.00210

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!