lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <92cc8651-e802-4e66-90ee-313e70695be3@huaweicloud.com>
Date: Fri, 2 Jan 2026 17:22:52 +0800
From: Xu Kuohai <xukuohai@...weicloud.com>
To: Alexei Starovoitov <alexei.starovoitov@...il.com>,
 Eduard Zingerman <eddyz87@...il.com>
Cc: bpf <bpf@...r.kernel.org>, LKML <linux-kernel@...r.kernel.org>,
 Alexei Starovoitov <ast@...nel.org>, Daniel Borkmann <daniel@...earbox.net>,
 Andrii Nakryiko <andrii@...nel.org>, Martin KaFai Lau
 <martin.lau@...ux.dev>, Yonghong Song <yonghong.song@...ux.dev>,
 Puranjay Mohan <puranjay@...nel.org>,
 Anton Protopopov <a.s.protopopov@...il.com>,
 Catalin Marinas <catalin.marinas@....com>, Will Deacon <will@...nel.org>
Subject: Re: [PATCH bpf-next v3] bpf: arm64: Fix panic due to missing BTI at
 indirect jump targets

On 1/1/2026 7:42 AM, Alexei Starovoitov wrote:
> On Wed, Dec 31, 2025 at 2:35 PM Eduard Zingerman <eddyz87@...il.com> wrote:
>>
>> On Sat, 2025-12-27 at 16:10 +0800, Xu Kuohai wrote:
>>> From: Xu Kuohai <xukuohai@...wei.com>
>>>
>>> When BTI is enabled, the indirect jump selftest triggers BTI exception:
>>>
>>> Internal error: Oops - BTI: 0000000036000003 [#1]  SMP
>>> ...
>>> Call trace:
>>>   bpf_prog_2e5f1c71c13ac3e0_big_jump_table+0x54/0xf8 (P)
>>>   bpf_prog_run_pin_on_cpu+0x140/0x464
>>>   bpf_prog_test_run_syscall+0x274/0x3ac
>>>   bpf_prog_test_run+0x224/0x2b0
>>>   __sys_bpf+0x4cc/0x5c8
>>>   __arm64_sys_bpf+0x7c/0x94
>>>   invoke_syscall+0x78/0x20c
>>>   el0_svc_common+0x11c/0x1c0
>>>   do_el0_svc+0x48/0x58
>>>   el0_svc+0x54/0x19c
>>>   el0t_64_sync_handler+0x84/0x12c
>>>   el0t_64_sync+0x198/0x19c
>>>
>>> This happens because no BTI instruction is generated by the JIT for
>>> indirect jump targets.
>>>
>>> Fix it by emitting BTI instruction for every possible indirect jump
>>> targets when BTI is enabled. The targets are identified by traversing
>>> all instruction arrays of jump table type used by the BPF program,
>>> since indirect jump targets can only be read from instruction arrays
>>> of jump table type.
>>>
>>> Fixes: f4a66cf1cb14 ("bpf: arm64: Add support for indirect jumps")
>>> Signed-off-by: Xu Kuohai <xukuohai@...wei.com>
>>> ---
>>> v3:
>>> - Get rid of unnecessary enum definition (Yonghong Song, Anton Protopopov)
>>>
>>> v2: https://lore.kernel.org/bpf/20251223085447.139301-1-xukuohai@huaweicloud.com/
>>> - Exclude instruction arrays not used for indirect jumps (Anton Protopopov)
>>>
>>> v1: https://lore.kernel.org/bpf/20251127140318.3944249-1-xukuohai@huaweicloud.com/
>>> ---
>>
>> Hi Xu, Anton, Alexei,
>>
>> Sorry, I'm a bit late to the discussion, ignored this patch-set
>> because of the "arm64" tag.
>>
>> What you are fixing here for arm64 will be an issue for x86 with CFI
>> as well, right?
>>
>> If that is the case, I think that we should fix this in a "generic"
>> way from the start. What do you think about the following:
>> - add a field 'bool indirect_jmp_target' to 'struct bpf_insn_aux_data'
> 
> makes sense to me. u8 :1 pls.
>

Got it, will do, thanks

>> - set this field to true for each jump target inspected by the
>>    verifier.c:check_indirect_jump()
>> - use this field in the jit to decide if to emit BTI instruction.
>>
>> Seems a bit simpler than what is discussed in this patch-set.
>> Wdyt?
>>
>> [...]

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ