On Tue, Nov 21, 2023 at 05:41:07PM -0800, Alexei Starovoitov wrote: > On Mon, Nov 20, 2023 at 03:46:42PM +0100, Peter Zijlstra wrote: > > Hi! > > > > There's a problem with FineIBT and eBPF using __nocfi when > > CONFIG_BPF_JIT_ALWAYS_ON=n, in which case the __nocfi indirect call can target > > a normal function like __bpf_prog_run32(). > > The lack (or partially broken) cfi in the kernel built with > CONFIG_BPF_JIT_ALWAYS_ON=n is probably the last of people security concerns. > We introduced CONFIG_BPF_JIT_ALWAYS_ON=y to remove the interpreter, > since mere presence of _any_ interpreter in the kernel (bpf and any other) > is an attack vector. As it was demonstrated during spectre days an interpreter > sitting in executable part of vmlinux .text tremendously helps to craft > a speculative execution exploit. Oh, no argument there. I always have JIT_ALWAYS_ON=y (when I have BPF at all) which is why it took me so long to actually trip over this. This was a test script systematically build/boot a bunch of configs and going unexpectedly *splat*. But it was a good excuse to spend time fixing it.
