Description
In the Linux kernel, the following vulnerability has been resolved: bpf, arm64: Force 8-byte alignment for JIT buffer to prevent atomic tearing struct bpf_plt contains a u64 target field. Currently, the BPF JIT allocator requests an alignment of 4 bytes (sizeof(u32)) for the JIT buffer. Because the base address of the JIT buffer can be 4-byte aligned (e.g., ending in 0x4 or 0xc), the relative padding logic in build_plt() fails to ensure that target lands on an 8-byte boundary. This leads to two issues: 1. UBSAN reports misaligned-access warnings when dereferencing the structure. 2. More critically, target is updated concurrently via WRITE_ONCE() in bpf_arch_text_poke() while the JIT'd code executes ldr. On arm64, 64-bit loads/stores are only guaranteed to be single-copy atomic if they are 64-bit aligned. A misaligned target risks a torn read, causing the JIT to jump to a corrupted address. Fix this by increasing the allocation alignment requirement to 8 bytes (sizeof(u64)) in bpf_jit_binary_pack_alloc(). This anchors the base of the JIT buffer to an 8-byte boundary, allowing the relative padding math in build_plt() to correctly align the target field.
Product status
b2ad54e1533e91449cb2a371e034942bd7882b58 (git) before 80ad264da02cc4aee718e799c2b79f0f834673dc
b2ad54e1533e91449cb2a371e034942bd7882b58 (git) before 519b1ad91de5bf7a496f2b858e9212db6328e1de
b2ad54e1533e91449cb2a371e034942bd7882b58 (git) before 66959ed481a474eaae278c7f6860a2a9b188a4d6
b2ad54e1533e91449cb2a371e034942bd7882b58 (git) before ef06fd16d48704eac868441d98d4ef083d8f3d07
6.0
Any version before 6.0
6.12.77 (semver)
6.18.17 (semver)
6.19.7 (semver)
7.0 (original_commit_for_fix)
References
git.kernel.org/...c/80ad264da02cc4aee718e799c2b79f0f834673dc
git.kernel.org/...c/519b1ad91de5bf7a496f2b858e9212db6328e1de
git.kernel.org/...c/66959ed481a474eaae278c7f6860a2a9b188a4d6
git.kernel.org/...c/ef06fd16d48704eac868441d98d4ef083d8f3d07