{"id":"CVE-2024-50203","summary":"bpf, arm64: Fix address emission with tag-based KASAN enabled","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nbpf, arm64: Fix address emission with tag-based KASAN enabled\n\nWhen BPF_TRAMP_F_CALL_ORIG is enabled, the address of a bpf_tramp_image\nstruct on the stack is passed during the size calculation pass and\nan address on the heap is passed during code generation. This may\ncause a heap buffer overflow if the heap address is tagged because\nemit_a64_mov_i64() will emit longer code than it did during the size\ncalculation pass. The same problem could occur without tag-based\nKASAN if one of the 16-bit words of the stack address happened to\nbe all-ones during the size calculation pass. Fix the problem by\nassuming the worst case (4 instructions) when calculating the size\nof the bpf_tramp_image address emission.","modified":"2026-03-20T12:39:38.361005Z","published":"2024-11-08T06:07:54.207Z","related":["SUSE-SU-2025:0117-1","SUSE-SU-2025:0153-1","SUSE-SU-2025:0154-1","SUSE-SU-2025:0289-1","SUSE-SU-2025:20165-1","SUSE-SU-2025:20166-1","SUSE-SU-2025:20248-1","SUSE-SU-2025:20249-1","USN-7276-1","USN-7277-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/50xxx/CVE-2024-50203.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/7db1a2121f3c7903b8e397392beec563c3d00950"},{"type":"WEB","url":"https://git.kernel.org/stable/c/9e80f366ebfdfafc685fe83a84c34f7ef01cbe88"},{"type":"WEB","url":"https://git.kernel.org/stable/c/a552e2ef5fd1a6c78267cd4ec5a9b49aa11bbb1c"},{"type":"WEB","url":"https://git.kernel.org/stable/c/f521c2a0c0c4585f36d912bf62c852b88682c4f2"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/50xxx/CVE-2024-50203.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-50203"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"077149478497b2f00ff4fd9da2c892defa6418d8"},{"fixed":"9e80f366ebfdfafc685fe83a84c34f7ef01cbe88"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"d9664e6ff040798a46cdc5d401064f55b8676c83"},{"fixed":"f521c2a0c0c4585f36d912bf62c852b88682c4f2"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"19d3c179a37730caf600a97fed3794feac2b197b"},{"fixed":"7db1a2121f3c7903b8e397392beec563c3d00950"},{"fixed":"a552e2ef5fd1a6c78267cd4ec5a9b49aa11bbb1c"}]},{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0"},{"last_affected":"6d218fcc707d6b2c3616b6cd24b948fd4825cfec"}]}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-50203.json"}}],"schema_version":"1.7.5"}