On Tue, Jan 16, 2024 at 11:34:14PM +0800, liboti wrote:
In stable linux (4.19~5.15), if “CONFIG_BPF_SYSCALL=y” is set, the .config generated by Kconfig does not set “CONFIG_BPF_JIT_ALWAYS_ON” and “CONFIG_BPF_UNPRIV_DEFAULT_OFF”. If the kernel is compiled with such .config, a normal user without any capabilities at all can load eBPF programs (SOCKET_FILTER type), and uses the interpreter. Due to the threat of side-channel attacks and inextirpable mistakes in the verifier, this is considered insecure. We have report this issue to maintainers of architectures. RISCV and s390 maintainers have confirmed and advise us to patch the Kconfig so that all architectures can be fixed. So this patch add "default y" to these config entries.
On the other hand, we found that such configs facilitate kernel bug exploitation. Specifically, an attacker can leverage existing CVEs to corrupt eBPF prog-array map, hijacking a bpf_prog pointer (ptrs[xx]) to point to a forged BPF program. In this way, arbitrary bytecode execution can be achieved, we have proved this concept with various CVEs(e.g. CVE-2018-18445). Such an attack enhances the exploitability of CVEs, and is more dangerous than side-channel threats.
Signed-off-by: liboti hoshimi10mang@163.com
kernel/bpf/Kconfig | 91 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 91 insertions(+) create mode 100644 kernel/bpf/Kconfig
<formletter>
This is not the correct way to submit patches for inclusion in the stable kernel tree. Please read: https://www.kernel.org/doc/html/latest/process/stable-kernel-rules.html for how to do this properly.
</formletter>