On Thu, Apr 10, 2025 at 1:32 AM Lion Ackermann <nnamrec@xxxxxxxxx> wrote: > > It is well-known to be possible to abuse the eBPF JIT to construct > gadgets for code re-use attacks. To hinder this constant blinding was > added in "bpf: add generic constant blinding for use in jits". This > mitigation has one weakness though: It ignores jump instructions due to > their correct offsets not being known when constant blinding is applied. > This can be abused to construct "jump-chains" with crafted offsets so > that certain desirable instructions are generated by the JIT compiler. > F.e. two consecutive BPF_JMP | BPF_JA codes with an appropriate offset > might generate the following jumps: > > ... > 0xffffffffc000f822: jmp 0xffffffffc00108df > 0xffffffffc000f827: jmp 0xffffffffc0010861 > ... > > If those are hit unaligned we can get two consecutive useful > instructions: > > ... > 0xffffffffc000f823: mov $0xe9000010,%eax > 0xffffffffc000f828: xor $0xe9000010,%eax > ... Nack. This is not exploitable. We're not going to complicate classic bpf because of theoretical concerns. pw-bot: cr
