BPF List
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Jennifer Miller" <jmill@asu.edu>
Cc: bpf@vger.kernel.org
Subject: Re: [RFC PATCH bpf-next v1 1/1] bpf: Enable JIT hardening by default when x86_64 CFI is enabled
Date: Fri, 10 Jul 2026 19:30:03 +0000	[thread overview]
Message-ID: <20260710193004.1E9BA1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260710191932.120911-2-jmill@asu.edu>

Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:
- [High] Initializing `bpf_jit_harden` to `1` by default provides incomplete CFI protection (exempting CAP_BPF users) while unconditionally breaking BPF observability for all users.
- [High] `bpf_jit_harden` is not enabled by default for `CONFIG_X86_KERNEL_IBT` without `CONFIG_CFI`, leaving Endbr64 instructions unprotected against crafted constants.
- [Low] The newly added multi-line comment violates BPF subsystem style guidelines.
--

--- Patch [1]: [RFC PATCH bpf-next v1 1/1] bpf: Enable JIT hardening by default when x86_64 CFI is enabled ---
commit 977257fbaf53ef7b4278e0a06c6f26b8addb7fac
Author: Jennifer Miller <jmill@asu.edu>

bpf: Enable JIT hardening by default when x86_64 CFI is enabled

This commit initializes bpf_jit_harden to 1 by default when x86_64 CFI is
enabled. It aims to prevent unprivileged users from crafting CFI signatures
or Endbr64 instructions by enabling constant blinding for JITted BPF code.

> diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
> --- a/kernel/bpf/core.c
> +++ b/kernel/bpf/core.c
> @@ -548,7 +548,11 @@ void bpf_prog_kallsyms_del_all(struct bpf_prog *fp)
>  /* All BPF JIT sysctl knobs here. */
>  int bpf_jit_enable   __read_mostly = IS_BUILTIN(CONFIG_BPF_JIT_DEFAULT_ON);
>  int bpf_jit_kallsyms __read_mostly = IS_BUILTIN(CONFIG_BPF_JIT_DEFAULT_ON);
> -int bpf_jit_harden   __read_mostly;
> +/* Enable hardening by default when x86_64 CFI is enabled to prevent CFI
> + * hashes and endbr64 instructions from being crafted.
> + */

[Severity: Low]
This isn't a bug, but does this multi-line comment follow the BPF subsystem
formatting rules? The guidelines require the opening slash and asterisk to
be on a line by themselves for multi-line comments.

> +int bpf_jit_harden   __read_mostly = IS_ENABLED(CONFIG_X86_64) &&
> +					IS_ENABLED(CONFIG_CFI);

[Severity: High]
Does initializing bpf_jit_harden to 1 using boolean evaluation create an
issue with observability for privileged users?

Looking at include/linux/filter.h in bpf_jit_kallsyms_enabled(), any
non-zero value for bpf_jit_harden disables kallsyms:

if (bpf_jit_harden)
        return false;

However, looking at bpf_jit_blinding_enabled() in the same file, a value
of 1 explicitly bypasses blinding for users with CAP_BPF:

if (bpf_jit_harden == 1 && bpf_token_capable(prog->aux->token, CAP_BPF))
        return false;

Will this result in breaking BPF observability like profiling and stack
traces for all users, while simultaneously failing to provide the security
benefit of constant blinding for privileged users? Should this be set to 2
instead?

[Severity: High]
Also, does gating this mitigation exclusively on CONFIG_CFI leave Endbr64
instructions unprotected?

The commit message mentions preventing endbr64 instructions from being
crafted, but endbr64 is tied to hardware Indirect Branch Tracking (IBT)
which uses CONFIG_X86_KERNEL_IBT.

If a kernel is compiled with IBT enabled but CONFIG_CFI disabled, the
boolean logic will evaluate to 0, leaving the JIT vulnerable to 32-bit
constants corresponding to endbr64 gadgets.

Should CONFIG_X86_KERNEL_IBT be included in this evaluation to fully cover
the protections mentioned in the commit message?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260710191932.120911-2-jmill@asu.edu?part=1

  reply	other threads:[~2026-07-10 19:30 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-10 19:19 [RFC PATCH bpf-next v1 0/1] Enable BPF JIT hardening by default when x86_64 CFI is enabled Jennifer Miller
2026-07-10 19:19 ` [RFC PATCH bpf-next v1 1/1] bpf: Enable " Jennifer Miller
2026-07-10 19:30   ` sashiko-bot [this message]
2026-07-12  6:22   ` bot+bpf-ci

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260710193004.1E9BA1F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=jmill@asu.edu \
    --cc=sashiko-reviews@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox