From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 25EF61CA87 for ; Tue, 16 Jan 2024 17:08:39 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="2eMIcMp8" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 3F4DDC433C7; Tue, 16 Jan 2024 17:08:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1705424919; bh=ccZ7OJmdPwqkeN3C9SawF4uLLsc7oEstuDSIF+mPlLg=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=2eMIcMp8u3qpzMjW7KKI5s4h0PIFAlOdVT4bgEXJQYBBnQqzaCEmuCNigRjzzZ6Os W29bwVAlTiN8gZNDdLuhuT40AAHD2/fSGcwRH4d9nunk5p6t4fq0ybEGlNvziKXKC0 xqvv7/DItwjSQQRL+vWvT5NuU1C+Tfnr8LmUT+aE= Date: Tue, 16 Jan 2024 18:08:36 +0100 From: Greg KH To: liboti Cc: ast@kernel.org, shenwenbo@zju.edu.cn, stable@vger.kernel.org Subject: Re: [PATCH] kernel: fix insecure config of eBPF generated by Kconfig Message-ID: <2024011625-hula-tag-b94d@gregkh> References: <20240116153414.14230-1-hoshimi10mang@163.com> Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20240116153414.14230-1-hoshimi10mang@163.com> On Tue, Jan 16, 2024 at 11:34:14PM +0800, liboti wrote: > In stable linux (4.19~5.15), if “CONFIG_BPF_SYSCALL=y” is set, > the .config generated by Kconfig does not set > “CONFIG_BPF_JIT_ALWAYS_ON” and “CONFIG_BPF_UNPRIV_DEFAULT_OFF”. > If the kernel is compiled with such .config, a normal user > without any capabilities at all can load eBPF programs > (SOCKET_FILTER type), and uses the interpreter. > Due to the threat of side-channel attacks and inextirpable > mistakes in the verifier, this is considered insecure. > We have report this issue to maintainers of architectures. > RISCV and s390 maintainers have confirmed and advise us to > patch the Kconfig so that all architectures can be fixed. > So this patch add "default y" to these config entries. > > On the other hand, we found that such configs facilitate kernel > bug exploitation. Specifically, an attacker can leverage existing > CVEs to corrupt eBPF prog-array map, hijacking a bpf_prog pointer > (ptrs[xx]) to point to a forged BPF program. In this way, arbitrary > bytecode execution can be achieved, we have proved this concept with > various CVEs(e.g. CVE-2018-18445). Such an attack enhances the > exploitability of CVEs, and is more dangerous than side-channel > threats. > > Signed-off-by: liboti > --- > kernel/bpf/Kconfig | 91 ++++++++++++++++++++++++++++++++++++++++++++++ > 1 file changed, 91 insertions(+) > create mode 100644 kernel/bpf/Kconfig This is not the correct way to submit patches for inclusion in the stable kernel tree. Please read: https://www.kernel.org/doc/html/latest/process/stable-kernel-rules.html for how to do this properly.