On 4/10/25 5:05 PM, Alexei Starovoitov wrote: > On Thu, Apr 10, 2025 at 1:32 AM Lion Ackermann <nnamrec@xxxxxxxxx> wrote: >> >> It is well-known to be possible to abuse the eBPF JIT to construct >> gadgets for code re-use attacks. To hinder this constant blinding was >> added in "bpf: add generic constant blinding for use in jits". This >> mitigation has one weakness though: It ignores jump instructions due to >> their correct offsets not being known when constant blinding is applied. >> This can be abused to construct "jump-chains" with crafted offsets so >> that certain desirable instructions are generated by the JIT compiler. >> F.e. two consecutive BPF_JMP | BPF_JA codes with an appropriate offset >> might generate the following jumps: >> >> ... >> 0xffffffffc000f822: jmp 0xffffffffc00108df >> 0xffffffffc000f827: jmp 0xffffffffc0010861 >> ... >> >> If those are hit unaligned we can get two consecutive useful >> instructions: >> >> ... >> 0xffffffffc000f823: mov $0xe9000010,%eax >> 0xffffffffc000f828: xor $0xe9000010,%eax >> ... > > Nack. > This is not exploitable. > We're not going to complicate classic bpf because of theoretical concerns. > > pw-bot: cr This is not a theoretical concern, it is actually very practical. Sorry for not making this clearer. I would rather not share full payloads publicly at this point, though. I understand that it is undesirable to complicate the code, but after some initial discussion this seemed to be the least intrusive option. However I would appreciate suggestions for better solutions.. Thanks, Lion
