Skip to content
  • Alexei Starovoitov's avatar
    bpf: introduce BPF_JIT_ALWAYS_ON config · a3d6dd6a
    Alexei Starovoitov authored
    [ upstream commit 290af866 ]
    
    The BPF interpreter has been used as part of the spectre 2 attack CVE-2017-5715.
    
    A quote from goolge project zero blog:
    "At this point, it would normally be necessary to locate gadgets in
    the host kernel code that can be used to actually leak data by reading
    from an attacker-controlled location, shifting and masking the result
    appropriately and then using the result of that as offset to an
    attacker-controlled address for a load. But piecing gadgets together
    and figuring out which ones work in a speculation context seems annoying.
    So instead, we decided to use the eBPF interpreter, which is built into
    the host kernel - while there is no legitimate way to invoke it from inside
    a VM, the presence of the code in the host kernel's text section is sufficient
    to make it usable for the attack, just like with ordinary ROP gadgets."
    
    To make attacker job harder introduce BPF_JIT_ALWAYS_ON config
    option that remove...
    a3d6dd6a