From 51e0d22ec6db124abca69a1cc35905c9342c884a Mon Sep 17 00:00:00 2001 From: Jon DeVree Date: Mon, 8 Jan 2018 01:22:53 -0500 Subject: [PATCH] Do not automatically enable the linux kernel's BPF JIT compiler MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The default value of kernel.unprivileged_bpf_disabled is 0 which means this is enabling the BPF JIT compiler for unprivileged users. Given that this is a known attack vector for Spectre variant 1 (CVE-2017-5753) this is not a setting that a utility should be tampering with. Tshark's and dumpcap's help message is changed by Balint Reczey to suggest enabling BPF manually after considering security-related implications. Change-Id: I1cc34cbd6e84485eba9dee79a8700aa388354885 Signed-off-by: Balint Reczey Bug: 14313 Reviewed-on: https://code.wireshark.org/review/25192 Reviewed-by: Balint Reczey Petri-Dish: Balint Reczey Reviewed-by: João Valverde Tested-by: Petri Dish Buildbot Reviewed-by: Gerald Combs --- dumpcap.c | 37 ++++--------------------------------- tshark.c | 7 ++++--- 2 files changed, 8 insertions(+), 36 deletions(-) diff --git a/dumpcap.c b/dumpcap.c index 0bc0617fb6..7ed3face4c 100644 --- a/dumpcap.c +++ b/dumpcap.c @@ -150,32 +150,6 @@ static void capture_loop_stop(void); /** Close a pipe, or socket if \a from_socket is TRUE */ static void cap_pipe_close(int pipe_fd, gboolean from_socket _U_); -#ifdef __linux__ -/* - * Enable kernel BPF JIT compiler if available. - * If any calls fail, just drive on - the JIT compiler might not be - * enabled, but filtering will still work, and it's not clear what - * we could do if the calls fail; should we just report the error - * and not continue to capture, should we report it as a warning, or - * what? - */ -static void -enable_kernel_bpf_jit_compiler(void) -{ - int fd; - ssize_t written _U_; - static const char file[] = "/proc/sys/net/core/bpf_jit_enable"; - - fd = ws_open(file, O_WRONLY); - if (fd < 0) - return; - - written = ws_write(fd, "1", strlen("1")); - - ws_close(fd); -} -#endif - #if !defined (__linux__) #ifndef HAVE_PCAP_BREAKLOOP /* @@ -502,9 +476,10 @@ print_usage(FILE *output) fprintf(output, " -h display this help and exit\n"); fprintf(output, "\n"); #ifdef __linux__ - fprintf(output, "WARNING: dumpcap will enable kernel BPF JIT compiler if available.\n"); - fprintf(output, "You might want to reset it\n"); - fprintf(output, "By doing \"echo 0 > /proc/sys/net/core/bpf_jit_enable\"\n"); + fprintf(output, "Dumpcap can benefit from an enabled BPF JIT compiler if available.\n"); + fprintf(output, "You might want to enable it by executing:\n"); + fprintf(output, " \"echo 1 > /proc/sys/net/core/bpf_jit_enable\"\n"); + fprintf(output, "Note that this can make your system less secure!\n"); fprintf(output, "\n"); #endif fprintf(output, "Example: dumpcap -i eth0 -a duration:60 -w output.pcapng\n"); @@ -4663,10 +4638,6 @@ main(int argc, char *argv[]) #endif /* SIGINFO */ #endif /* _WIN32 */ -#ifdef __linux__ - enable_kernel_bpf_jit_compiler(); -#endif - /* ----------------------------------------------------------------- */ /* Privilege and capability handling */ /* Cases: */ diff --git a/tshark.c b/tshark.c index 7d0b453199..f7100a407d 100644 --- a/tshark.c +++ b/tshark.c @@ -454,9 +454,10 @@ print_usage(FILE *output) fprintf(output, " use \"-G help\" for more help\n"); #ifdef __linux__ fprintf(output, "\n"); - fprintf(output, "WARNING: dumpcap will enable kernel BPF JIT compiler if available.\n"); - fprintf(output, "You might want to reset it\n"); - fprintf(output, "By doing \"echo 0 > /proc/sys/net/core/bpf_jit_enable\"\n"); + fprintf(output, "Dumpcap can benefit from an enabled BPF JIT compiler if available.\n"); + fprintf(output, "You might want to enable it by executing:\n"); + fprintf(output, " \"echo 1 > /proc/sys/net/core/bpf_jit_enable\"\n"); + fprintf(output, "Note that this can make your system less secure!\n"); #endif }