среда, 1 декабря 2021 г.

jitted eBPF code

I add yesterday disasm for jitted eBPF code. To put it mildly this code is very poor

Every function has 7 bytes of nops in prolog. Comment says that this is for BPF trampoline - well, ok

Lots of code like

 mov eax, 0x1
 cmp r14, 0x2
 jnz 0xc0561497
 xor eax, eax
0xc0561497:
 ...
Somebody - tell them about cmovXX instructions

Lots of code like
mov rdi, 0xffff8fd687f3e000
add rdi, 0x110

and related to get addresses of stack var:
mov rdi, rbp
add rdi, 0xffffffffffffffe0 
Perhaps it would be preferable to use lea rdi, [rbp-XX]

Slow inc/dec:
add r8, 0x1
sub rdi, 0x1

Lots of repeated instructions:
and rdi, 0xfff
and rdi, 0xfff
it's obvious bug

And finally
you can patch it. Sure it was protected with RO - see call to bpf_jit_binary_lock_ro in function bpf_int_jit_compile but
  • you can use old trick with cr0
  • you can call set_memory_rw
and yes - this patches is very hard to detect. Really HARD

Комментариев нет:

Отправить комментарий