Conversation

this is why eBPF is restricted to root in alpine. all distributions should do that.

Quote Tweet

Apr 9, 2021

[CVE-2021-29154] Linux kernel incorrect computation of branch displacements in BPF JIT compiler can be abused to execute arbitrary code in Kernel mode openwall.com/lists/oss-secu

Replying to

Or better, omit CONFIG_BPF_JIT or whatever it's called.

Replying to

unfortunately, that is not practical. many new kernel features are controlled through eBPF, such as VRFs, `ip vrf exec` depends on eBPF.

Replying to

and

other examples include the newer performance tracing functionality, etc. all of it is unfortunately built on eBPF.

Replying to

eBPF != eBPF JIT

Replying to

yes, but when you enable some options, like CONFIG_BPF_SYSCALL, you have CONFIG_BPF_JIT=y automatically, and you can't get rid of it. and unfortunately, the bpf syscall is now a popular one for these new toys.

Replying to

Are you sure? There are plenty of archs with no JIT. JIT should be independent.

Replying to

apparently they turn it on as a "security mitigation" where its available, see CONFIG_BPF_JIT_ALWAYS_ON. apparently this is because the interpreter does speculation

Replying to

and

The issue is that the interpreter provides very useful Spectre 2 gadgets simply by existing. git.kernel.org/pub/scm/linux/ There are gadgets all over the kernel so this mitigation is very questionable. It's comparable to removing/changing code to eliminate well known ROP gadgets...

Replying to

and

Once an attacker has developed a scripting framework for finding Spectre 2 gadgets, then this accomplishes very little. It's not a real barrier but rather at most an inconvenience: a well known and useful set of gadgets isn't available. It's security through obscurity at best.

11:17 PM · Apr 9, 2021Twitter Web App

Replying to

and

Since most distributions now enable BPF_JIT_ALWAYS_ON, any value it provides via obscurity is essentially already there. If you configure your kernel without it, then sure, you have an easy source of useful Spectre 2 gadgets, but since hardly anyone else does, it's as obscure...

Replying to

and

most distributions likely blindly enable BPF_JIT_ALWAYS_ON. it is basically default yes.

Replying to

and

i see. well, with stuff like XDP, i am sure people would be upset if we turned the JIT off anyway, but they go to some level of effort to make it hard to do so.

Replying to

and

CONFIG_BPF_JIT_ALWAYS_ON is a config switch you can switch off though, no?

Replying to

and

It forces the JIT to always be enabled at compile-time in order to avoid compiling the interpreter into the kernel. You can build the kernel without it. If the kernel is built with it, then there's no option to use the interpreter. It's how most distributions build Linux now.

Show replies