Description
In the Linux kernel, the following vulnerability has been resolved: bpf: Fix constant blinding for PROBE_MEM32 stores BPF_ST | BPF_PROBE_MEM32 immediate stores are not handled by bpf_jit_blind_insn(), allowing user-controlled 32-bit immediates to survive unblinded into JIT-compiled native code when bpf_jit_harden >= 1. The root cause is that convert_ctx_accesses() rewrites BPF_ST|BPF_MEM to BPF_ST|BPF_PROBE_MEM32 for arena pointer stores during verification, before bpf_jit_blind_constants() runs during JIT compilation. The blinding switch only matches BPF_ST|BPF_MEM (mode 0x60), not BPF_ST|BPF_PROBE_MEM32 (mode 0xa0). The instruction falls through unblinded. Add BPF_ST|BPF_PROBE_MEM32 cases to bpf_jit_blind_insn() alongside the existing BPF_ST|BPF_MEM cases. The blinding transformation is identical: load the blinded immediate into BPF_REG_AX via mov+xor, then convert the immediate store to a register store (BPF_STX). The rewritten STX instruction must preserve the BPF_PROBE_MEM32 mode so the architecture JIT emits the correct arena addressing (R12-based on x86-64). Cannot use the BPF_STX_MEM() macro here because it hardcodes BPF_MEM mode; construct the instruction directly instead.
Product status
6082b6c328b5486da2b356eae94b8b83c98b5565 (git) before 56af722756ed82fee2ae5d5b4d04743407506195
6082b6c328b5486da2b356eae94b8b83c98b5565 (git) before ccbf29b28b5554f9d65b2fb53b994673ad58b3bf
6082b6c328b5486da2b356eae94b8b83c98b5565 (git) before de641ea08f8fff6906e169d2576c2ac54e562fbb
6082b6c328b5486da2b356eae94b8b83c98b5565 (git) before 2321a9596d2260310267622e0ad8fbfa6f95378f
6.9
Any version before 6.9
6.12.80 (semver)
6.18.21 (semver)
6.19.11 (semver)
7.0-rc5 (original_commit_for_fix)
References
git.kernel.org/...c/56af722756ed82fee2ae5d5b4d04743407506195
git.kernel.org/...c/ccbf29b28b5554f9d65b2fb53b994673ad58b3bf
git.kernel.org/...c/de641ea08f8fff6906e169d2576c2ac54e562fbb
git.kernel.org/...c/2321a9596d2260310267622e0ad8fbfa6f95378f