| 1 |
On 01/04/2018 08:17 AM, Rich Freeman wrote: |
| 2 |
> On Thu, Jan 4, 2018 at 8:44 AM, Corbin Bird <corbinbird@×××××××.net> wrote: |
| 3 |
>> According to the Project Zero documentation .... having BPF JIT enabled |
| 4 |
>> is the key to the exploit. |
| 5 |
>> |
| 6 |
>> The way the docs read ... can it be assumed that by having BPF JIT |
| 7 |
>> disabled on an AMD, that blocks this exploit? |
| 8 |
>> |
| 9 |
> I'm still working through the details, but AMD seems to only be |
| 10 |
> vulnerable to variant 1 (based on AMD's reports), and for Linux that |
| 11 |
> requires that BPF JIT be both built into the kernel (compile-time), |
| 12 |
> and enabled in sysctl (net.core.bpf_jit_enable). From what I can tell |
| 13 |
> variant 1 requires that the vulnerable code actually be executed in |
| 14 |
> the kernel security context. I'm sure a fix to BPF will be made to |
| 15 |
> close that. There might also be some other code that can be tricked |
| 16 |
> in the kernel but there are no reports of this. |
| 17 |
> |
| 18 |
> For variant 2 (not exploitable on AMD), it sounds like the BPF code |
| 19 |
> need merely be present in kernel virtual memory while running in user |
| 20 |
> security context. That would mean that it would need to be built at |
| 21 |
> compile-time, and loaded (if in a module), but it wouldn't have to be |
| 22 |
> enabled in sysctl. I didn't see any mention of it but I would think |
| 23 |
> that the PTI fixes might close this hole on Intel, since then when the |
| 24 |
> CPU is in user security context the BPF code would not be present in |
| 25 |
> virtual memory. Intel posted a separate compile-time fix to lkml |
| 26 |
> yesterday as well, with an amusing response from Linus in his usual |
| 27 |
> style, and an even more amusing subsequent joke about needing to add a |
| 28 |
> perl interpreter to the kernel. |
| 29 |
> |
| 30 |
> Variant 1 does exploit CPU behavior, but I suspect it could be fixed |
| 31 |
> with a change to gcc to recognize these kinds of indirect memory |
| 32 |
> references and ensure they're not executed speculatively. That fix |
| 33 |
> would be applicable to anything that runs untrusted code in a sandbox, |
| 34 |
> such as browsers. That variant isn't about crossing CPU privilege |
| 35 |
> boundaries so much as getting code that is legitimately being run to |
| 36 |
> leak state through the cache as a backchannel. |
| 37 |
> |
| 38 |
> Note: I'm not an expert on any of this stuff, and if somebody wants to |
| 39 |
> chime in with details/adjustments to the above I'm all ears. |
| 40 |
> |
| 41 |
|
| 42 |
So .... kill all BPF JIT support / leave BPF JIT out of the kernel / no |
| 43 |
kernel modules either == attack Variant #1 fails. |
| 44 |
The "current workaround" ( for AMD CPU's ) is how I read it. |
| 45 |
|
| 46 |
Thanks for the info. |
| 47 |
|
| 48 |
Corbin |
Archives