Dear Christophe,
Am 11.04.21 um 18:23 schrieb Christophe Leroy:
Le 11/04/2021 à 13:09, Paul Menzel a écrit :
Related to * [CVE-2021-29154] Linux kernel incorrect computation of
branch displacements in BPF JIT compiler can be abused to execute
arbitrary code in Kernel mode* [1], on the POWER8 system IBM S822LC
with self-built Linux 5.12.0-rc5+, I am unable to disable
`bpf_jit_enable`.
$ /sbin/sysctl net.core.bpf_jit_enable
net.core.bpf_jit_enable = 1
$ sudo /sbin/sysctl -w net.core.bpf_jit_enable=0
sysctl: setting key "net.core.bpf_jit_enable": Invalid argument
It works on an x86 with Debian sid/unstable and Linux 5.10.26-1.
Maybe you have selected CONFIG_BPF_JIT_ALWAYS_ON in your self-built
kernel ?
config BPF_JIT_ALWAYS_ON
bool "Permanently enable BPF JIT and remove BPF interpreter"
depends on BPF_SYSCALL && HAVE_EBPF_JIT && BPF_JIT
help
Enables BPF JIT and removes BPF interpreter to avoid
speculative execution of BPF instructions by the interpreter
Thank you. Indeed. In contrast to Debian, Ubuntu’s Linux configuration
selects that option, and I copied that.
$ grep _BPF_JIT /boot/config-5.8.0-49-generic
/boot/config-5.8.0-49-generic:CONFIG_BPF_JIT_ALWAYS_ON=y
/boot/config-5.8.0-49-generic:CONFIG_BPF_JIT_DEFAULT_ON=y
/boot/config-5.8.0-49-generic:CONFIG_BPF_JIT=y
I wonder, if there is a way to better integrate that option into
`/proc/sys`, so it’s clear, that it’s always enabled.
Kind regards,
Paul
