Re: [PATCH 0/2] x86/bpf: Fix FineIBT vs eBPF

From: Peter Zijlstra
Date: Wed Nov 22 2023 - 05:18:33 EST

Next message: Michal Simek: "Re: [PATCH v2 1/2] dt-bindings: soc: xilinx: Move xilinx.yaml from arm to soc"
Previous message: Daniel Baluta: "Re: [RFC PATCH] ASoC: simple-card: Use dai_id from node description"
In reply to: Alexei Starovoitov: "Re: [PATCH 0/2] x86/bpf: Fix FineIBT vs eBPF"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Nov 21, 2023 at 05:41:07PM -0800, Alexei Starovoitov wrote:
> On Mon, Nov 20, 2023 at 03:46:42PM +0100, Peter Zijlstra wrote:
> > Hi!
> >
> > There's a problem with FineIBT and eBPF using __nocfi when
> > CONFIG_BPF_JIT_ALWAYS_ON=n, in which case the __nocfi indirect call can target
> > a normal function like __bpf_prog_run32().
>
> The lack (or partially broken) cfi in the kernel built with
> CONFIG_BPF_JIT_ALWAYS_ON=n is probably the last of people security concerns.
> We introduced CONFIG_BPF_JIT_ALWAYS_ON=y to remove the interpreter,
> since mere presence of _any_ interpreter in the kernel (bpf and any other)
> is an attack vector. As it was demonstrated during spectre days an interpreter
> sitting in executable part of vmlinux .text tremendously helps to craft
> a speculative execution exploit.

Oh, no argument there. I always have JIT_ALWAYS_ON=y (when I have BPF at
all) which is why it took me so long to actually trip over this.

This was a test script systematically build/boot a bunch of configs and
going unexpectedly *splat*.

But it was a good excuse to spend time fixing it.

Next message: Michal Simek: "Re: [PATCH v2 1/2] dt-bindings: soc: xilinx: Move xilinx.yaml from arm to soc"
Previous message: Daniel Baluta: "Re: [RFC PATCH] ASoC: simple-card: Use dai_id from node description"
In reply to: Alexei Starovoitov: "Re: [PATCH 0/2] x86/bpf: Fix FineIBT vs eBPF"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]