On Mon, Sep 16, 2024 at 03:50:04PM GMT, Maciej Żenczykowski wrote:
> On Mon, Sep 16, 2024 at 3:18 PM Maxwell Bland <mbland@xxxxxxxxxxxx> wrote:
> >
> > #define MODIFY_KERNEL_CODE \
> > do { \
> > fake_je = (struct jump_entry *)kallsyms_lookup_name_ind( \
> > "spectre_bhb_state"); \
> > attack_addr = kallsyms_lookup_name_ind("udp_recvmsg"); \
> > if (register_kprobe(&kp2)) { \
> > return -1; \
> > } \
> > arch_jump_label_transform = \
> > (arch_jump_label_transform_t)kp2.addr; \
> > fake_je->code = attack_addr - (unsigned long)&(fake_je->code); \
> > fake_je->target = stext - (unsigned long)&(fake_je->target); \
> > arch_jump_label_transform(fake_je, JUMP_LABEL_JMP); \
> > return 0; \
> > } while (0)
>
> That's not valid cBPF
It is not intended to be: see the Qualys exploit from my original
message. People are not loading bad BPF, they are targeting BPF code
pages for modification during the window between JIT and execution,
using a write-gadget exploit, e.g. UAF + Heap Spray.
Also, I read through and responded to Andy's message on this thread just
now. Andy had the really good idea of rather than Android saying "use
this seccomp->BPF compiler", the code page or BPF program comes with an
"origin" tag, that is, something saying "this was generated by
libminijail" or "bionic libc". That would work just as well supposing
that if I were to see a tag for something I did not know (likely one of
these QCOM services), I could email someone at QCOM to get the compiler
spec, hopefully.
