From: Greg KH <greg@kroah.com>
To: liboti <hoshimi10mang@163.com>
Cc: ast@kernel.org, shenwenbo@zju.edu.cn, stable@vger.kernel.org
Subject: Re: [PATCH] kernel: fix insecure config of eBPF generated by Kconfig
Date: Tue, 16 Jan 2024 18:08:47 +0100 [thread overview]
Message-ID: <2024011638-crowbar-satirical-b02e@gregkh> (raw)
In-Reply-To: <20240116153414.14230-1-hoshimi10mang@163.com>
On Tue, Jan 16, 2024 at 11:34:14PM +0800, liboti wrote:
> In stable linux (4.19~5.15), if “CONFIG_BPF_SYSCALL=y” is set,
> the .config generated by Kconfig does not set
> “CONFIG_BPF_JIT_ALWAYS_ON” and “CONFIG_BPF_UNPRIV_DEFAULT_OFF”.
> If the kernel is compiled with such .config, a normal user
> without any capabilities at all can load eBPF programs
> (SOCKET_FILTER type), and uses the interpreter.
> Due to the threat of side-channel attacks and inextirpable
> mistakes in the verifier, this is considered insecure.
> We have report this issue to maintainers of architectures.
> RISCV and s390 maintainers have confirmed and advise us to
> patch the Kconfig so that all architectures can be fixed.
> So this patch add "default y" to these config entries.
>
> On the other hand, we found that such configs facilitate kernel
> bug exploitation. Specifically, an attacker can leverage existing
> CVEs to corrupt eBPF prog-array map, hijacking a bpf_prog pointer
> (ptrs[xx]) to point to a forged BPF program. In this way, arbitrary
> bytecode execution can be achieved, we have proved this concept with
> various CVEs(e.g. CVE-2018-18445). Such an attack enhances the
> exploitability of CVEs, and is more dangerous than side-channel
> threats.
>
> Signed-off-by: liboti <hoshimi10mang@163.com>
> ---
> kernel/bpf/Kconfig | 91 ++++++++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 91 insertions(+)
> create mode 100644 kernel/bpf/Kconfig
I don't think you tested this :(
prev parent reply other threads:[~2024-01-16 17:08 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-16 15:34 [PATCH] kernel: fix insecure config of eBPF generated by Kconfig liboti
2024-01-16 17:08 ` Greg KH
2024-01-16 17:08 ` Greg KH [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2024011638-crowbar-satirical-b02e@gregkh \
--to=greg@kroah.com \
--cc=ast@kernel.org \
--cc=hoshimi10mang@163.com \
--cc=shenwenbo@zju.edu.cn \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox