lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <ce484a55ffa709dcfcacd631213b3b1ff1938c7a.camel@gmail.com>
Date: Wed, 31 Dec 2025 14:35:35 -0800
From: Eduard Zingerman <eddyz87@...il.com>
To: Xu Kuohai <xukuohai@...weicloud.com>, bpf@...r.kernel.org, 
	linux-kernel@...r.kernel.org
Cc: Alexei Starovoitov <ast@...nel.org>, Daniel Borkmann
 <daniel@...earbox.net>,  Andrii Nakryiko <andrii@...nel.org>, Martin KaFai
 Lau <martin.lau@...ux.dev>, Yonghong Song	 <yonghong.song@...ux.dev>,
 Puranjay Mohan <puranjay@...nel.org>, Anton Protopopov
 <a.s.protopopov@...il.com>, Catalin Marinas <catalin.marinas@....com>, Will
 Deacon	 <will@...nel.org>
Subject: Re: [PATCH bpf-next v3] bpf: arm64: Fix panic due to missing BTI at
 indirect jump targets

On Sat, 2025-12-27 at 16:10 +0800, Xu Kuohai wrote:
> From: Xu Kuohai <xukuohai@...wei.com>
> 
> When BTI is enabled, the indirect jump selftest triggers BTI exception:
> 
> Internal error: Oops - BTI: 0000000036000003 [#1]  SMP
> ...
> Call trace:
>  bpf_prog_2e5f1c71c13ac3e0_big_jump_table+0x54/0xf8 (P)
>  bpf_prog_run_pin_on_cpu+0x140/0x464
>  bpf_prog_test_run_syscall+0x274/0x3ac
>  bpf_prog_test_run+0x224/0x2b0
>  __sys_bpf+0x4cc/0x5c8
>  __arm64_sys_bpf+0x7c/0x94
>  invoke_syscall+0x78/0x20c
>  el0_svc_common+0x11c/0x1c0
>  do_el0_svc+0x48/0x58
>  el0_svc+0x54/0x19c
>  el0t_64_sync_handler+0x84/0x12c
>  el0t_64_sync+0x198/0x19c
> 
> This happens because no BTI instruction is generated by the JIT for
> indirect jump targets.
> 
> Fix it by emitting BTI instruction for every possible indirect jump
> targets when BTI is enabled. The targets are identified by traversing
> all instruction arrays of jump table type used by the BPF program,
> since indirect jump targets can only be read from instruction arrays
> of jump table type.
> 
> Fixes: f4a66cf1cb14 ("bpf: arm64: Add support for indirect jumps")
> Signed-off-by: Xu Kuohai <xukuohai@...wei.com>
> ---
> v3:
> - Get rid of unnecessary enum definition (Yonghong Song, Anton Protopopov)
> 
> v2: https://lore.kernel.org/bpf/20251223085447.139301-1-xukuohai@huaweicloud.com/
> - Exclude instruction arrays not used for indirect jumps (Anton Protopopov)
> 
> v1: https://lore.kernel.org/bpf/20251127140318.3944249-1-xukuohai@huaweicloud.com/
> ---

Hi Xu, Anton, Alexei,

Sorry, I'm a bit late to the discussion, ignored this patch-set
because of the "arm64" tag.

What you are fixing here for arm64 will be an issue for x86 with CFI
as well, right?

If that is the case, I think that we should fix this in a "generic"
way from the start. What do you think about the following:
- add a field 'bool indirect_jmp_target' to 'struct bpf_insn_aux_data'
- set this field to true for each jump target inspected by the
  verifier.c:check_indirect_jump()
- use this field in the jit to decide if to emit BTI instruction.

Seems a bit simpler than what is discussed in this patch-set.
Wdyt?

[...]

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ