Post Syndicated from daroc original https://lwn.net/Articles/979257/

Security updates have been issued by AlmaLinux (firefox, ghostscript, idm:DL1, and thunderbird), Debian (php8.2 and putty), Mageia (chromium-browser-stable), Oracle (ghostscript and thunderbird), Red Hat (thunderbird), and SUSE (containerd, kernel, php-composer2, podofo, python-cryptography, and rmt-server).

Post Syndicated from daroc original https://lwn.net/Articles/978727/

Arnaldo Carvalho de Melo spoke at the 2024
Linux Storage,
Filesystem, Memory Management, and BPF Summit
about his work on

Poke-a-hole (pahole),
a program that has expanded greatly over the years, but which was relevant to the
BPF track because it produces BPF Type Format (BTF) information from DWARF
debugging information. He covered some small changes to the program, and then
went into detail about the new support for data-type profiling. His
slides include
several examples.

Post Syndicated from daroc original https://lwn.net/Articles/978736/

Andrii Nakryiko led a session at
the 2024
Linux Storage,
Filesystem, Memory Management, and BPF Summit giving
a look into the APIs for capturing stack traces
using BPF, and how the APIs could be made more useful. BPF programs can capture the
current stack trace of a running process, including the portion in the kernel
during execution of a system call, which can be useful for diagnosing
performance problems, among other things. But there are substantial problems with
the existing API.

Post Syndicated from daroc original https://lwn.net/Articles/978335/

On the final day of the 2024
Linux Storage,
Filesystem, Memory Management, and BPF Summit, the BPF track
opened with a series of sessions on improving the performance and
flexibility of probes and other performance-monitoring tools, in the kernel and in
user space. Jiri Olsa led two sessions about different aspects of probes:
making the API for BPF programs attached to a probe more flexible, and making
user-space probes more efficient.

Post Syndicated from daroc original https://lwn.net/Articles/977993/

The kernel has a lot of code paths that are normally disabled: debugging print
statements, tracepoints, etc. To support these efficiently, there
is a common mechanism called

static keys that provides a way to enable or disable a
code path at run time, with effectively no overhead for disabled
branches. BPF programs have not been able to take advantage of static keys so far,
because they aren’t compiled into the kernel.
Now, it looks like BPF may be getting support for a similar mechanism —
and the design could also provide one of the components needed to support

jump tables, another missing feature.
Anton Protopovov presented his plans to add static keys to BPF at the 2024
Linux Storage,
Filesystem, Memory Management, and BPF Summit.

Post Syndicated from daroc original https://lwn.net/Articles/978418/

Security updates have been issued by CentOS (389-ds-base, bind, bind-dyndb-ldap, and dhcp, firefox, glibc, ipa, less, libreoffice, and thunderbird), Debian (cups), Fedora (chromium and cyrus-imapd), Mageia (golang and poppler), Oracle (bind, bind-dyndb-ldap, and dhcp, gvisor-tap-vsock, python-idna, and ruby), Red Hat (dnsmasq and expat), SUSE (libaom, php8, podman, python-pymongo, python-scikit-learn, and tiff), and Ubuntu (h2database and vte2.91).

Post Syndicated from daroc original https://lwn.net/Articles/977815/

The BPF verifier is a complex program. This has the unfortunate effect of making
it simultaneously more difficult for contributors to work on, and more likely
to harbor unknown bugs. Shung-Hsi Yu had two concrete proposals for how to
simplify the verifier to make it easier to maintain that he presented at the 2024
Linux Storage,
Filesystem, Memory Management, and BPF Summit. Yu proposed changing how the
verifier tracks partially known values and cleaning up the interface to
hide the details of the value-tracker’s internal representation.

Post Syndicated from daroc original https://lwn.net/Articles/977394/

BPF is in a unique position in terms of security. It runs in a privileged
context, within the kernel, and can have access to many sensitive details of the
kernel’s operation. At the same time, unlike kernel modules, BPF programs aren’t signed.
Additionally, the mechanisms behind BPF present challenges to implementing
signing or other security features. Three nearly back-to-back sessions at the
2024
Linux Storage,
Filesystem, Memory Management, and BPF Summit
addressed some of the potential security problems.

Post Syndicated from daroc original https://lwn.net/Articles/977583/

According to CrowdStrike, a

vulnerability in the Linux kernel’s nftables code
that was discovered earlier this
year is being actively exploited in the wild. The vulnerability allows for
local privilege escalation. Most distributions have already released a fix.

As noted by the exploit developer, leveraging this POC is dependent on the
kernel’s unprivileged user namespaces feature accessing nf_tables. This access
is enabled by default on Debian, Ubuntu and kernel capture-the-flag (CTF)
distributions. An attacker can then trigger the double-free vulnerability, scan
the physical memory for the kernel base address, bypass kernel address-space
layout randomization (KASLR) and access the modprobe_path kernel variable with
read/write privileges. After overwriting the modprobe_path, the exploit drops a
root shell.

Post Syndicated from daroc original https://lwn.net/Articles/977013/

BPF was first

generalized beyond packet filtering more than a decade ago. In that time, it
has changed a lot, becoming much more capable.
Alexei Starovoitov kicked off the second day of the BPF track at the 2024
Linux Storage,
Filesystem, Memory Management, and BPF Summit by leading a session
discussing which changes to BPF are going to come in the next ten years as it
continues evolving. He proposed several ideas, including expanding the number of
registers available to BPF programs, dynamic deadlock detection, and relaxing
some existing limits of the verifier.

Post Syndicated from daroc original https://lwn.net/Articles/977555/

Security updates have been issued by Mageia (libtiff), Oracle (cockpit, glibc, kernel, less, libxml2, linux-kernel, and tomcat), Red Hat (java-1.8.0-ibm, nghttp2, and ruby:3.3), Slackware (php), SUSE (go1.21, go1.22, and python-docker), and Ubuntu (aom and libvpx).

Post Syndicated from daroc original https://lwn.net/Articles/976317/

Alan Jowett returned for a second remote presentation at the 2024
Linux Storage,
Filesystem, Memory Management, and BPF Summit to compare the performance of
different BPF runtimes. He showed the results of the MIT-licensed BPF

microbenchmark suite he has been working on.
The benchmark suite does not yet provide a good direct comparison between all
platforms, so the results should be
taken with a grain of salt. They do
seem to indicate that there is some significant variation between
implementations, especially for different types of BPF maps.

Post Syndicated from daroc original https://lwn.net/Articles/976071/

There are few topics as arcane as memory models, so it was a pleasant surprise
when the double-length session on the BPF memory model at the
Linux Storage,
Filesystem, Memory Management, and BPF Summit turned out to be
understandable. Paul McKenney led the session, although he was clear that the
work he was presenting was also due to Puranjay Mohan, who unfortunately could
not attend the summit.
BPF does not actually have a formalized memory model yet;
instead it has relied on a history of talks like this one and a general informal understanding.
Unfortunately, ignoring memory models does not make them go away, and this has
already caused at least one BPF-related bug on weakly-ordered architectures.
Figuring out what a formal memory model for BPF should define was the focus of
McKenney’s talk.

Post Syndicated from daroc original https://lwn.net/Articles/976209/

Security updates have been issued by Debian (gst-plugins-base1.0), Fedora (cacti, cacti-spine, roundcubemail, and wireshark), Oracle (.NET 7.0, .NET 8.0, bind and dhcp, gdk-pixbuf2, git-lfs, glibc, grafana, krb5, pcp, python-dns, python3, sssd, tigervnc, xorg-x11-server, and xorg-x11-server-Xwayland), Red Hat (edk2, less, nghttp2, and ruby:3.0), SUSE (gstreamer-plugins-base, Java, kernel, and python-requests), and Ubuntu (ffmpeg, node-browserify-sign, postgresql-14, postgresql-15, postgresql-16, and python-pymysql).

Post Syndicated from daroc original https://lwn.net/Articles/975830/

While BPF may be most famous for its use in the Linux kernel, there is actually
a growing effort to standardize BPF for use on other systems. These include

eBPF for Windows, but also

uBPF,

rBPF,

hBPF,

bpftime, and
others. Some hardware manufacturers are even
considering integrating BPF directly into networking hardware. Dave Thaler
led two sessions about all of the problems that cross-platform use inevitably
brings and the current status of the standardization work at the 2024
Linux Storage,
Filesystem, Memory Management, and BPF Summit.

Post Syndicated from daroc original https://lwn.net/Articles/975412/

The GCC project has been working to support compiling to BPF
for some time. José Marchesi and David Faust spoke in an extended session at the 2024
Linux Storage,
Filesystem, Memory Management, and BPF Summit
about how that work has been going, and what is left for GCC to be on-par with
LLVM with regard to BPF support. They also related tentative plans for how
GCC BPF support would be maintained in the future.

Post Syndicated from daroc original https://lwn.net/Articles/974945/

Alan Jowett gave a remote presentation at the 2024
Linux Storage,
Filesystem, Memory Management, and BPF Summit about what features could be
added to LLVM to make writing BPF programs easier. While there is nothing specific
to LLVM about BPF code (and the next session in the track was led by GCC
developer José Marchesi about better support for that compiler), LLVM is currently the most
common way to turn C code into BPF bytecode. That translation, however, runs
into problems when the BPF verifier cannot understand the code LLVM’s
optimizations produce.

Post Syndicated from daroc original https://lwn.net/Articles/974848/

Kui-Feng Lee spoke early in the BPF track at the 2024
Linux Storage,
Filesystem, Memory Management, and BPF Summit about some of the
recent improvements to BPF. These changes were largely driven by the
sched_ext work that David Vernet had covered in
the previous talk. Lee focused on changes relevant to struct_ops
programs, but several of those changes apply to all BPF programs.

Post Syndicated from daroc original https://lwn.net/Articles/974913/

Security updates have been issued by Fedora (chromium, libreoffice, and thunderbird), Red Hat (.NET 7.0, .NET 8.0, gdk-pixbuf2, git-lfs, glibc, python3, and xorg-x11-server-Xwayland), SUSE (firefox, opensc, and ucode-intel), and Ubuntu (cjson and gnome-remote-desktop).

Post Syndicated from daroc original https://lwn.net/Articles/974387/

David Vernet’s second talk at the 2024
Linux Storage,
Filesystem, Memory Management, and BPF Summit was a summary of the state of
sched_ext, the extensible BPF scheduler that LWN
covered a in early May. In short, sched_ext is intended as a platform for
rapid experimentation with schedulers, and a tool to let performance-minded
administrators customize the scheduler to their workload. The patch set has seen
several revisions, becoming more generic and powerful over time.
Vernet spoke about what has been done in the past year,
and what is still missing before sched_ext can be considered pretty much
complete.