2360931 – (CVE-2025-37893) CVE-2025-37893 kernel: LoongArch: BPF: Fix off-by-one error in build_prologue()

Bug 2360931 (CVE-2025-37893) - CVE-2025-37893 kernel: LoongArch: BPF: Fix off-by-one error in build_prologue()

Summary: CVE-2025-37893 kernel: LoongArch: BPF: Fix off-by-one error in build_prologue()

Keywords:
Status:	NEW
Alias:	CVE-2025-37893
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2025-04-18 08:01 UTC by OSIDB Bzimport
Modified:	2025-04-18 14:37 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-04-18 08:01:45 UTC

In the Linux kernel, the following vulnerability has been resolved:

LoongArch: BPF: Fix off-by-one error in build_prologue()

Vincent reported that running BPF progs with tailcalls on LoongArch
causes kernel hard lockup. Debugging the issues shows that the JITed
image missing a jirl instruction at the end of the epilogue.

There are two passes in JIT compiling, the first pass set the flags and
the second pass generates JIT code based on those flags. With BPF progs
mixing bpf2bpf and tailcalls, build_prologue() generates N insns in the
first pass and then generates N+1 insns in the second pass. This makes
epilogue_offset off by one and we will jump to some unexpected insn and
cause lockup. Fix this by inserting a nop insn.

Comment 1 Avinash Hanwate 2025-04-18 12:58:10 UTC

Upstream advisory:
https://lore.kernel.org/linux-cve-announce/2025041816-CVE-2025-37893-57b4@gregkh/T

Note You need to log in before you can comment on or make changes to this bug.