diff options
| author | Daniel Borkmann <daniel@iogearbox.net> | 2018-06-11 12:19:05 +0200 |
|---|---|---|
| committer | Dmitry Vyukov <dvyukov@google.com> | 2018-07-05 10:48:20 +0200 |
| commit | 3a35170a249b6ead856b574f86e2afcf41ec496b (patch) | |
| tree | b341e46dd14a08bb0428b987190de9be3a422e82 | |
| parent | cf4583c661b8fba0e11ed7a49a3c224b18aeafde (diff) | |
bpf: disable hardening in favor of unwinding
I had missed that once hardening is enabled, it automatically disables
any exposure of JITed addresses, therefore when crashes or warnings are
thrown we don't unwind beyond a helper function. For now disable hardening.
After merge window I'll see if it's possible to detangle the case where
kernel queries kallsyms internally to find function names whenever a WARN
or BUG is thrown. If that's not possible easily, we can potentially add a
harden mode 3 which does hardening but does not disable kallsyms exposure
and then set this here for tools like syzkaller.
Fixes: ac9b19d2e435 ("bpf: enable hardening mode 1 for jited images")
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
[dvyukov: also updated dashboard/config/upstream.sysctl]
| -rw-r--r-- | dashboard/config/upstream.sysctl | 2 | ||||
| -rwxr-xr-x | tools/create-image.sh | 2 |
2 files changed, 2 insertions, 2 deletions
diff --git a/dashboard/config/upstream.sysctl b/dashboard/config/upstream.sysctl index 9b6bee039..27e809504 100644 --- a/dashboard/config/upstream.sysctl +++ b/dashboard/config/upstream.sysctl @@ -1,6 +1,6 @@ kernel.watchdog_thresh = 60 net.core.bpf_jit_enable = 1 net.core.bpf_jit_kallsyms = 1 -net.core.bpf_jit_harden = 1 +net.core.bpf_jit_harden = 0 kernel.kptr_restrict = 0 kernel.softlockup_all_cpu_backtrace = 1 diff --git a/tools/create-image.sh b/tools/create-image.sh index 93b067721..a0ad610c8 100755 --- a/tools/create-image.sh +++ b/tools/create-image.sh @@ -24,7 +24,7 @@ echo "kernel.printk = 7 4 1 3" | sudo tee -a $DIR/etc/sysctl.conf echo 'debug.exception-trace = 0' | sudo tee -a $DIR/etc/sysctl.conf echo "net.core.bpf_jit_enable = 1" | sudo tee -a $DIR/etc/sysctl.conf echo "net.core.bpf_jit_kallsyms = 1" | sudo tee -a $DIR/etc/sysctl.conf -echo "net.core.bpf_jit_harden = 1" | sudo tee -a $DIR/etc/sysctl.conf +echo "net.core.bpf_jit_harden = 0" | sudo tee -a $DIR/etc/sysctl.conf echo "kernel.softlockup_all_cpu_backtrace = 1" | sudo tee -a $DIR/etc/sysctl.conf echo "kernel.kptr_restrict = 0" | sudo tee -a $DIR/etc/sysctl.conf echo "kernel.watchdog_thresh = 60" | sudo tee -a $DIR/etc/sysctl.conf |