sysctl: setting key "net.core.bpf_jit_enable": Invalid argument

sysctl: setting key "net.core.bpf_jit_enable": Invalid argument

[Paul Menzel]

Dear Linux folks,


Related to * [CVE-2021-29154] Linux kernel incorrect computation of 
branch displacements in BPF JIT compiler can be abused to execute 
arbitrary code in Kernel mode* [1], on the POWER8 system IBM S822LC with 
self-built Linux 5.12.0-rc5+, I am unable to disable `bpf_jit_enable`.

     $ /sbin/sysctl net.core.bpf_jit_enable
     net.core.bpf_jit_enable = 1
     $ sudo /sbin/sysctl -w net.core.bpf_jit_enable=0
     sysctl: setting key "net.core.bpf_jit_enable": Invalid argument

It works on an x86 with Debian sid/unstable and Linux 5.10.26-1.


Kind regards,

Paul


[1]: https://seclists.org/oss-sec/2021/q2/12

Re: sysctl: setting key "net.core.bpf_jit_enable": Invalid argument

[Christophe Leroy]

Le 11/04/2021 à 13:09, Paul Menzel a écrit :
> Dear Linux folks,
> 
> 
> Related to * [CVE-2021-29154] Linux kernel incorrect computation of branch displacements in BPF JIT 
> compiler can be abused to execute arbitrary code in Kernel mode* [1], on the POWER8 system IBM 
> S822LC with self-built Linux 5.12.0-rc5+, I am unable to disable `bpf_jit_enable`.
> 
>     $ /sbin/sysctl net.core.bpf_jit_enable
>     net.core.bpf_jit_enable = 1
>     $ sudo /sbin/sysctl -w net.core.bpf_jit_enable=0
>     sysctl: setting key "net.core.bpf_jit_enable": Invalid argument
> 
> It works on an x86 with Debian sid/unstable and Linux 5.10.26-1.

Maybe you have selected CONFIG_BPF_JIT_ALWAYS_ON in your self-built kernel ?

config BPF_JIT_ALWAYS_ON
	bool "Permanently enable BPF JIT and remove BPF interpreter"
	depends on BPF_SYSCALL && HAVE_EBPF_JIT && BPF_JIT
	help
	  Enables BPF JIT and removes BPF interpreter to avoid
	  speculative execution of BPF instructions by the interpreter


Christophe

Re: sysctl: setting key "net.core.bpf_jit_enable": Invalid argument

[Paul Menzel]

Dear Christophe,


Am 11.04.21 um 18:23 schrieb Christophe Leroy:

> Le 11/04/2021 à 13:09, Paul Menzel a écrit :

>> Related to * [CVE-2021-29154] Linux kernel incorrect computation of 
>> branch displacements in BPF JIT compiler can be abused to execute 
>> arbitrary code in Kernel mode* [1], on the POWER8 system IBM S822LC 
>> with self-built Linux 5.12.0-rc5+, I am unable to disable 
>> `bpf_jit_enable`.
>>
>>     $ /sbin/sysctl net.core.bpf_jit_enable
>>     net.core.bpf_jit_enable = 1
>>     $ sudo /sbin/sysctl -w net.core.bpf_jit_enable=0
>>     sysctl: setting key "net.core.bpf_jit_enable": Invalid argument
>>
>> It works on an x86 with Debian sid/unstable and Linux 5.10.26-1.
> 
> Maybe you have selected CONFIG_BPF_JIT_ALWAYS_ON in your self-built 
> kernel ?
> 
> config BPF_JIT_ALWAYS_ON
>      bool "Permanently enable BPF JIT and remove BPF interpreter"
>      depends on BPF_SYSCALL && HAVE_EBPF_JIT && BPF_JIT
>      help
>        Enables BPF JIT and removes BPF interpreter to avoid
>        speculative execution of BPF instructions by the interpreter

Thank you. Indeed. In contrast to Debian, Ubuntu’s Linux configuration 
selects that option, and I copied that.

     $ grep _BPF_JIT /boot/config-5.8.0-49-generic
     /boot/config-5.8.0-49-generic:CONFIG_BPF_JIT_ALWAYS_ON=y
     /boot/config-5.8.0-49-generic:CONFIG_BPF_JIT_DEFAULT_ON=y
     /boot/config-5.8.0-49-generic:CONFIG_BPF_JIT=y

I wonder, if there is a way to better integrate that option into 
`/proc/sys`, so it’s clear, that it’s always enabled.


Kind regards,

Paul