CVE-2023-53634

When BPFTRAMPFCALLORIG is set, BPF trampoline uses BLR to jump back to the instruction next to call site to call the patched function. For BTI-enabled kernel, the instruction next to call site is usually PACIASP, in this case, it's safe to jump back with BLR. But when the call site is not followed by a PACIASP or bti, a BTI exception is triggered.

Here is a fault log:

Unhandled 64-bit el1h sync exception on CPU0, ESR 0x0000000034000002 -- BTI CPU: 0 PID: 263 Comm: testprogs Tainted: GF Hardware name: linux,dummy-virt (DT) pstate: 40400805 (nZcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=-c) pc : bpffentrytest1+0xc/0x30 lr : bpftrampoline64425738920+0x48/0x1000 sp : ffff80000c0c3a50 x29: ffff80000c0c3a90 x28: ffff0000c2e6c080 x27: 0000000000000000 x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000050 x23: 0000000000000000 x22: 0000ffffcfd2a7f0 x21: 000000000000000a x20: 0000ffffcfd2a7f0 x19: 0000000000000000 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000ffffcfd2a7f0 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000000 x10: ffff80000914f5e4 x9 : ffff8000082a1528 x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0101010101010101 x5 : 0000000000000000 x4 : 00000000fffffff2 x3 : 0000000000000001 x2 : ffff8001f4b82000 x1 : 0000000000000000 x0 : 0000000000000001 Kernel panic - not syncing: Unhandled exception CPU: 0 PID: 263 Comm: testprogs Tainted: GF Hardware name: linux,dummy-virt (DT) Call trace: dumpbacktrace+0xec/0x144 showstack+0x24/0x7c dumpstacklvl+0x8c/0xb8 dumpstack+0x18/0x34 panic+0x1cc/0x3ec _el0errorhandlercommon+0x0/0x130 el1h64synchandler+0x60/0xd0 el1h64sync+0x78/0x7c bpffentrytest1+0xc/0x30 bpffentrytest1+0xc/0x30 bpfprogtestruntracing+0xdc/0x2a0 _sysbpf+0x438/0x22a0 _arm64sysbpf+0x30/0x54 invokesyscall+0x78/0x110 el0svccommon.constprop.0+0x6c/0x1d0 doel0svc+0x38/0xe0 el0svc+0x30/0xd0 el0t64synchandler+0x1ac/0x1b0 el0t64_sync+0x1a0/0x1a4 Kernel Offset: disabled CPU features: 0x0000,00034c24,f994fdab Memory Limit: none

And the instruction next to call site of bpffentrytest1 is ADD, not PACIASP:

<bpf_fentry_test1>: bti c nop nop add w0, w0, #0x1 paciasp

For BPF prog, JIT always puts a PACIASP after call site for BTI-enabled kernel, so there is no problem. To fix it, replace BLR with RET to bypass the branch target check.

References

Affected packages

Git / git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git

Affected ranges

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

efc9909fdce00a827a37609628223cd45bf95d0b

Fixed

8b9c64942ada229f52fe6f1b537a50f88b3c2673

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

efc9909fdce00a827a37609628223cd45bf95d0b

Fixed

eabc166919d169e105263974991f52b0351e431a

Type: GIT
Repo: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
Events: Introduced

efc9909fdce00a827a37609628223cd45bf95d0b

Fixed

738a96c4a8c36950803fdd27e7c30aca92dccefd

Affected versions

v5.*

v5.19

v5.19-rc6

v5.19-rc7

v5.19-rc8

v6.*

v6.0

v6.0-rc1

v6.0-rc2

v6.0-rc3

v6.0-rc4

v6.0-rc5

v6.0-rc6

v6.0-rc7

v6.1

v6.1-rc1

v6.1-rc2

v6.1-rc3

v6.1-rc4

v6.1-rc5

v6.1-rc6

v6.1-rc7

v6.1-rc8

v6.1.1

v6.1.10

v6.1.11

v6.1.12

v6.1.13

v6.1.14

v6.1.15

v6.1.16

v6.1.17

v6.1.18

v6.1.19

v6.1.2

v6.1.20

v6.1.21

v6.1.22

v6.1.23

v6.1.24

v6.1.3

v6.1.4

v6.1.5

v6.1.6

v6.1.7

v6.1.8

v6.1.9

v6.2

v6.2-rc1

v6.2-rc2

v6.2-rc3

v6.2-rc4

v6.2-rc5

v6.2-rc6

v6.2-rc7

v6.2-rc8

v6.2.1

v6.2.10

v6.2.11

v6.2.2

v6.2.3

v6.2.4

v6.2.5

v6.2.6

v6.2.7

v6.2.8

v6.2.9

v6.3-rc1

v6.3-rc2

v6.3-rc3

Linux / Kernel

Package

Name: Kernel

Affected ranges

Type: ECOSYSTEM
Events: Introduced

6.0.0

Fixed

6.1.25

Type: ECOSYSTEM
Events: Introduced

6.2.0

Fixed

6.2.12