Bug#991830: unblock: linux/5.10.46-4
Control: tags -1 - moreinfo
Hi Paul,
On Mon, Aug 02, 2021 at 10:53:00PM +0200, Paul Gevers wrote:
> Control: tags -1 confirmed moreinfo
>
> Hi Salvatore,
>
> On 02-08-2021 22:19, Salvatore Bonaccorso wrote:
> > Upstream added in 5.13-rc4 a new kconfig know to diable unprivilged
> > bpf by default, but without making it irreversible. I cherry-picked
> > this commit as well, and set BPF_UNPRIV_DEFAULT_OFF, closing #990411.
>
> I wonder if this would warrant a NEWS item and if you have time left to
> squeeze it in.
Yes, I have added a NEWS entry accordingly describing the default in
Debian staring with the 5.10.46-4 upload. Thanks for raising this.
> > Would you agree on such a very short timed upload still to be
> > targetting for bullseye?
>
> If all (including magic of signing) can be build and ready for Saturday
> I think this issue is worth it. Normally you kernel people know very
> well what you're doing.
Thank you for the ack, this is very much appreciated. The full set of
changes, for the record were (but not adding a debdiff now):
* bpf: Introduce BPF nospec instruction for mitigating Spectre v4
(CVE-2021-34556, CVE-2021-35477)
* bpf: Fix leakage due to insufficient speculative store bypass mitigation
(CVE-2021-34556, CVE-2021-35477)
* bpf: Remove superfluous aux sanitation on subprog rejection
* Ignore ABI changes for bpf_offload_dev_create and bpf_verifier_log_write
* bpf: Add kconfig knob for disabling unpriv bpf by default
* init: Enable BPF_UNPRIV_DEFAULT_OFF (Closes: #990411)
* linux-image: Add NEWS entry documenting that unprivileged calls to bpf() are
disabled by default in Debian.
* bpf: verifier: Allocate idmap scratch in verifier env
* bpf: Fix pointer arithmetic mask tightening under state pruning
Regards,
Salvatore
Reply to: