[SRU,Impish/Unstable,0/3] s390x BPF JIT vulnerabilities

Message ID	20210921183525.56805-1-cascardo@canonical.com
Headers	show Return-Path: <kernel-team-bounces@lists.ubuntu.com> From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> To: kernel-team@lists.ubuntu.com Subject: [SRU Impish/Unstable 0/3] s390x BPF JIT vulnerabilities Date: Tue, 21 Sep 2021 15:35:22 -0300 Message-Id: <20210921183525.56805-1-cascardo@canonical.com> MIME-Version: 1.0 Precedence: list Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>
Series	s390x BPF JIT vulnerabilities \| expand [SRU,Impish/Unstable,0/3] s390x BPF JIT vulnerabilities [SRU,Impish/Unstable,1/3] s390/bpf: Fix branch shortening during codegen pass [SRU,Impish/Unstable,2/3] s390/bpf: Fix 64-bit subtraction of the -0x80000000 constant [SRU,Impish/Unstable,3/3] s390/bpf: Fix optimizing out zero-extensions

Message ID

20210921183525.56805-1-cascardo@canonical.com

Headers

From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [SRU Impish/Unstable 0/3] s390x BPF JIT vulnerabilities
Date: Tue, 21 Sep 2021 15:35:22 -0300
Message-Id: <20210921183525.56805-1-cascardo@canonical.com>
MIME-Version: 1.0
Precedence: list
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

Series

s390x BPF JIT vulnerabilities | expand

Message

Thadeu Lima de Souza Cascardo Sept. 21, 2021, 6:35 p.m. UTC

[Impact]

s390 BPF JIT vulnerabilities allow the eBPF verifier to be bypassed, leading to
possible local privilege escalation.

[Mitigation]

Disable unprivileged eBPF.
sysctl -w kernel.unprivileged_bpf_disabled=1

[Potential regression]

BPF programs might execute incorrectly, affecting seccomp, socket filters,
tracing and other BPF users.

Ilya Leoshkevich (3):
  s390/bpf: Fix branch shortening during codegen pass
  s390/bpf: Fix 64-bit subtraction of the -0x80000000 constant
  s390/bpf: Fix optimizing out zero-extensions

 arch/s390/net/bpf_jit_comp.c | 70 +++++++++++++++++++-----------------
 1 file changed, 38 insertions(+), 32 deletions(-)

Comments

Krzysztof Kozlowski Sept. 22, 2021, 6:37 a.m. UTC | #1

On 21/09/2021 20:35, Thadeu Lima de Souza Cascardo wrote:
> [Impact]
> 
> s390 BPF JIT vulnerabilities allow the eBPF verifier to be bypassed, leading to
> possible local privilege escalation.
> 
> [Mitigation]
> 
> Disable unprivileged eBPF.
> sysctl -w kernel.unprivileged_bpf_disabled=1
> 
> [Potential regression]
> 
> BPF programs might execute incorrectly, affecting seccomp, socket filters,
> tracing and other BPF users.
> 
> Ilya Leoshkevich (3):
>   s390/bpf: Fix branch shortening during codegen pass
>   s390/bpf: Fix 64-bit subtraction of the -0x80000000 constant
>   s390/bpf: Fix optimizing out zero-extensions
> 
>  arch/s390/net/bpf_jit_comp.c | 70 +++++++++++++++++++-----------------
>  1 file changed, 38 insertions(+), 32 deletions(-)
> 

Acked-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>

Best regards,
Krzysztof

Paolo Pisati Sept. 22, 2021, 8:05 a.m. UTC | #2

On Tue, Sep 21, 2021 at 03:35:22PM -0300, Thadeu Lima de Souza Cascardo wrote:
> [Impact]
> 
> s390 BPF JIT vulnerabilities allow the eBPF verifier to be bypassed, leading to
> possible local privilege escalation.
> 
> [Mitigation]
> 
> Disable unprivileged eBPF.
> sysctl -w kernel.unprivileged_bpf_disabled=1
> 
> [Potential regression]
> 
> BPF programs might execute incorrectly, affecting seccomp, socket filters,
> tracing and other BPF users.