Hello:
This patch was applied to bpf/bpf.git (master) by Daniel Borkmann daniel@iogearbox.net:
On Fri, 18 Oct 2024 15:16:43 -0700 you wrote:
When BPF_TRAMP_F_CALL_ORIG is enabled, the address of a bpf_tramp_image struct on the stack is passed during the size calculation pass and an address on the heap is passed during code generation. This may cause a heap buffer overflow if the heap address is tagged because emit_a64_mov_i64() will emit longer code than it did during the size calculation pass. The same problem could occur without tag-based KASAN if one of the 16-bit words of the stack address happened to be all-ones during the size calculation pass. Fix the problem by assuming the worst case (4 instructions) when calculating the size of the bpf_tramp_image address emission.
[...]
Here is the summary with links: - bpf, arm64: Fix address emission with tag-based KASAN enabled https://git.kernel.org/bpf/bpf/c/a552e2ef5fd1
You are awesome, thank you!