News: 0001644455

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

Linux 7.2-rc2 BPF Code Being Hardened Against JIT Spraying Attacks

([Linux Kernel] 5 Hours Ago BPF JIT Spraying Attacks)


Some post-merge-window code changes merged overnight ahead of Linux 7.2-rc2 this weekend is hardening the kernel's BPF code against JIT spraying attacks.

A bit peculiar coming post-merge-window and not clear if motivated by recent security discoveries, but the Linux kernel's BPF code is now seeing hardening to held fend off JIT spraying attacks. At the same time, surprising the Linux BPF code wasn't already hardened against JIT spraying attacks.

Intel engineer Pawan Gupta landed [1]this patch to support hardening BPF against JIT spraying:

"The BPF JIT allocator packs many small programs into larger executable allocations and reuses space within those allocations as programs are loaded and freed. When fresh code is written into space that a previous program occupied, an indirect jump into the new program can reuse a branch prediction left behind by the old one.

Flush the indirect branch predictors before reusing JIT memory so that indirect jumps into a newly written program don't reuse predictions from an old program that occupied the same space.

Introduce bpf_arch_pred_flush_enabled static key and bpf_arch_pred_flush static call for flushing the branch predictors on JIT memory reuse. Architectures that need a flush, can update it to a predictor flush function. By default, its a NOP and does not emit any CALL.

Allocations larger than a pack are not covered by this flush. That is safe because cBPF programs (the unprivileged attack surface) are bounded well below a pack size. Issue a warning if this assumption is ever violated while the flush is active."

Beyond that is [2]another partch also by Intel's Pawan Gupta to enable Indirect Branch Predictor Barrier (IBPB) flushes on BPF JIT allocations:

"Enable hardening against JIT spraying when Spectre-v2 mitigations are in use. Specifically, issue an IBPB flush on BPF JIT memory reuse. Skip enabling the IBPB flush if the BPF dispatcher is already using a retpoline sequence.

This hardening applies only when BPF-JIT is in use. Guard the enabling under CONFIG_BPF_JIT so that bugs.c still builds with CONFIG_BPF_JIT=n."

This BPF JIT hardening work is now merged to Linux Git and will be part of the Linux 7.2-rc2 release on Sunday.



[1] https://github.com/torvalds/linux/commit/96cce16e26dd02a8678f1e87f88a4b5cdb63b995

[2] https://github.com/torvalds/linux/commit/a3af84b0fa00ead01fcd0e28b5d773ff25990a0d



The time spent on any item of the agenda [of a finance committee] will be
in inverse proportion to the sum involved.
-- C. N. Parkinson