Re: [PATCH] kernel: fix insecure config of eBPF generated by Kconfig

[Greg KH <gregkh@linuxfoundation.org>]

On Tue, Jan 16, 2024 at 11:34:14PM +0800, liboti wrote:
> In stable linux (4.19~5.15), if “CONFIG_BPF_SYSCALL=y” is set，
> the .config generated by Kconfig does not set
> “CONFIG_BPF_JIT_ALWAYS_ON” and “CONFIG_BPF_UNPRIV_DEFAULT_OFF”.
>  If the kernel is compiled with such .config, a normal user
>  without any capabilities at all can load eBPF programs
>  (SOCKET_FILTER type), and uses the interpreter.
> Due to the threat of side-channel attacks and inextirpable
> mistakes in the verifier, this is considered insecure.
>  We have report this issue to maintainers of architectures.
>  RISCV and s390 maintainers have confirmed and advise us to
> patch the Kconfig so that all architectures can be fixed.
> So this patch add "default y" to these config entries.
> 
> On the other hand, we found that such configs facilitate kernel
> bug exploitation. Specifically, an attacker can leverage existing
> CVEs to corrupt eBPF prog-array map, hijacking a bpf_prog pointer
> (ptrs[xx]) to point to a forged BPF program. In this way, arbitrary
> bytecode execution can be achieved, we have proved this concept with
> various CVEs(e.g. CVE-2018-18445). Such an attack enhances the
> exploitability of CVEs, and is more dangerous than side-channel
> threats.
> 
> Signed-off-by: liboti <hoshimi10mang@163.com>
> ---
>  kernel/bpf/Kconfig | 91 ++++++++++++++++++++++++++++++++++++++++++++++
>  1 file changed, 91 insertions(+)
>  create mode 100644 kernel/bpf/Kconfig

<formletter>

This is not the correct way to submit patches for inclusion in the
stable kernel tree.  Please read:
    https://www.kernel.org/doc/html/latest/process/stable-kernel-rules.html
for how to do this properly.

</formletter>