On 4/11/25 5:20 PM, Alexei Starovoitov wrote: > On Thu, Apr 10, 2025 at 11:24 PM Lion Ackermann <nnamrec@xxxxxxxxx> wrote: >> >> On 4/10/25 5:05 PM, Alexei Starovoitov wrote: >>> On Thu, Apr 10, 2025 at 1:32 AM Lion Ackermann <nnamrec@xxxxxxxxx> wrote: >>>> >>>> It is well-known to be possible to abuse the eBPF JIT to construct >>>> gadgets for code re-use attacks. To hinder this constant blinding was >>>> added in "bpf: add generic constant blinding for use in jits". This >>>> mitigation has one weakness though: It ignores jump instructions due to >>>> their correct offsets not being known when constant blinding is applied. >>>> This can be abused to construct "jump-chains" with crafted offsets so >>>> that certain desirable instructions are generated by the JIT compiler. >>>> F.e. two consecutive BPF_JMP | BPF_JA codes with an appropriate offset >>>> might generate the following jumps: >>>> >>>> ... >>>> 0xffffffffc000f822: jmp 0xffffffffc00108df >>>> 0xffffffffc000f827: jmp 0xffffffffc0010861 >>>> ... >>>> >>>> If those are hit unaligned we can get two consecutive useful >>>> instructions: >>>> >>>> ... >>>> 0xffffffffc000f823: mov $0xe9000010,%eax >>>> 0xffffffffc000f828: xor $0xe9000010,%eax >>>> ... >>> >>> Nack. >>> This is not exploitable. >>> We're not going to complicate classic bpf because of theoretical concerns. >>> >>> pw-bot: cr >> >> This is not a theoretical concern, it is actually very practical. Sorry >> for not making this clearer. I would rather not share full payloads >> publicly at this point, though. > > Do share. I am not sure if sharing adds any particular value here. The mitigation targets the 5-byte-variant of the x86 jmp instruction as stated above. You would only get more examples of the same instruction. Also note that the mitigation does not prevent the 2-byte-variant. Beside jumps, there are a couple of other possible instructions that allow a 1 byte payload encoding, so I did not bother. > JIT spraying is nothing new. Blinding only made it harder. > There are lots of usable gadgets without it as well. > Turn off JIT completely and nothing changes from security pov. True, the proposal only has an effect if blinding+jit is enabled. Otherwise it's useless. If that is not good enough to add complexity to the cBPF code, then I suppose we should take this back to the drawing board? Thanks, Lion
