* sysctl: setting key "net.core.bpf_jit_enable": Invalid argument
@ 2021-04-11 11:09 Paul Menzel
2021-04-11 16:23 ` Christophe Leroy
0 siblings, 1 reply; 3+ messages in thread
From: Paul Menzel @ 2021-04-11 11:09 UTC (permalink / raw)
To: Naveen N. Rao, Sandipan Das; +Cc: netdev, bpf, linuxppc-dev, it+linux-bpf
Dear Linux folks,
Related to * [CVE-2021-29154] Linux kernel incorrect computation of
branch displacements in BPF JIT compiler can be abused to execute
arbitrary code in Kernel mode* [1], on the POWER8 system IBM S822LC with
self-built Linux 5.12.0-rc5+, I am unable to disable `bpf_jit_enable`.
$ /sbin/sysctl net.core.bpf_jit_enable
net.core.bpf_jit_enable = 1
$ sudo /sbin/sysctl -w net.core.bpf_jit_enable=0
sysctl: setting key "net.core.bpf_jit_enable": Invalid argument
It works on an x86 with Debian sid/unstable and Linux 5.10.26-1.
Kind regards,
Paul
[1]: https://seclists.org/oss-sec/2021/q2/12
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: sysctl: setting key "net.core.bpf_jit_enable": Invalid argument
2021-04-11 11:09 sysctl: setting key "net.core.bpf_jit_enable": Invalid argument Paul Menzel
@ 2021-04-11 16:23 ` Christophe Leroy
2021-04-11 18:39 ` Paul Menzel
0 siblings, 1 reply; 3+ messages in thread
From: Christophe Leroy @ 2021-04-11 16:23 UTC (permalink / raw)
To: Paul Menzel, Naveen N. Rao, Sandipan Das
Cc: it+linux-bpf, netdev, bpf, linuxppc-dev
Le 11/04/2021 à 13:09, Paul Menzel a écrit :
> Dear Linux folks,
>
>
> Related to * [CVE-2021-29154] Linux kernel incorrect computation of branch displacements in BPF JIT
> compiler can be abused to execute arbitrary code in Kernel mode* [1], on the POWER8 system IBM
> S822LC with self-built Linux 5.12.0-rc5+, I am unable to disable `bpf_jit_enable`.
>
> $ /sbin/sysctl net.core.bpf_jit_enable
> net.core.bpf_jit_enable = 1
> $ sudo /sbin/sysctl -w net.core.bpf_jit_enable=0
> sysctl: setting key "net.core.bpf_jit_enable": Invalid argument
>
> It works on an x86 with Debian sid/unstable and Linux 5.10.26-1.
Maybe you have selected CONFIG_BPF_JIT_ALWAYS_ON in your self-built kernel ?
config BPF_JIT_ALWAYS_ON
bool "Permanently enable BPF JIT and remove BPF interpreter"
depends on BPF_SYSCALL && HAVE_EBPF_JIT && BPF_JIT
help
Enables BPF JIT and removes BPF interpreter to avoid
speculative execution of BPF instructions by the interpreter
Christophe
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: sysctl: setting key "net.core.bpf_jit_enable": Invalid argument
2021-04-11 16:23 ` Christophe Leroy
@ 2021-04-11 18:39 ` Paul Menzel
0 siblings, 0 replies; 3+ messages in thread
From: Paul Menzel @ 2021-04-11 18:39 UTC (permalink / raw)
To: Christophe Leroy, Naveen N. Rao, Sandipan Das
Cc: it+linux-bpf, netdev, bpf, linuxppc-dev
Dear Christophe,
Am 11.04.21 um 18:23 schrieb Christophe Leroy:
> Le 11/04/2021 à 13:09, Paul Menzel a écrit :
>> Related to * [CVE-2021-29154] Linux kernel incorrect computation of
>> branch displacements in BPF JIT compiler can be abused to execute
>> arbitrary code in Kernel mode* [1], on the POWER8 system IBM S822LC
>> with self-built Linux 5.12.0-rc5+, I am unable to disable
>> `bpf_jit_enable`.
>>
>> $ /sbin/sysctl net.core.bpf_jit_enable
>> net.core.bpf_jit_enable = 1
>> $ sudo /sbin/sysctl -w net.core.bpf_jit_enable=0
>> sysctl: setting key "net.core.bpf_jit_enable": Invalid argument
>>
>> It works on an x86 with Debian sid/unstable and Linux 5.10.26-1.
>
> Maybe you have selected CONFIG_BPF_JIT_ALWAYS_ON in your self-built
> kernel ?
>
> config BPF_JIT_ALWAYS_ON
> bool "Permanently enable BPF JIT and remove BPF interpreter"
> depends on BPF_SYSCALL && HAVE_EBPF_JIT && BPF_JIT
> help
> Enables BPF JIT and removes BPF interpreter to avoid
> speculative execution of BPF instructions by the interpreter
Thank you. Indeed. In contrast to Debian, Ubuntu’s Linux configuration
selects that option, and I copied that.
$ grep _BPF_JIT /boot/config-5.8.0-49-generic
/boot/config-5.8.0-49-generic:CONFIG_BPF_JIT_ALWAYS_ON=y
/boot/config-5.8.0-49-generic:CONFIG_BPF_JIT_DEFAULT_ON=y
/boot/config-5.8.0-49-generic:CONFIG_BPF_JIT=y
I wonder, if there is a way to better integrate that option into
`/proc/sys`, so it’s clear, that it’s always enabled.
Kind regards,
Paul
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-04-11 18:39 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-11 11:09 sysctl: setting key "net.core.bpf_jit_enable": Invalid argument Paul Menzel
2021-04-11 16:23 ` Christophe Leroy
2021-04-11 18:39 ` Paul Menzel
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).