Source: linux Version: 6.19.10-1 Severity: grave Tags: patch security X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
This is a backport for CVE-2026-23417 (BPF JIT Blinding bypass) targeting the linux package in Sid (6.19.10-1). I have verified the patch by successfully compiling kernel/bpf/core.o in a Debian Sid environment. The patch follows DEP-3 standards and addresses the issue where BPF_ST | BPF_PROBE_MEM32 instructions were bypassing constant blinding. The fix is based on the upstream commit by Linus Torvalds. Attached is the DEP-3 formatted patch. -- System Information: Debian Release: forky/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 6.19.10+deb14-amd64 (SMP w/2 CPU threads; PREEMPT) Locale: LANG=es_CL.UTF-8, LC_CTYPE=es_CL.UTF-8 (charmap=UTF-8), LANGUAGE=es_CL:es Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled
Description: bpf: fix constant blinding for PROBE_MEM32 BPF_ST | BPF_PROBE_MEM32 immediate stores are not handled by bpf_jit_blind_insn(), allowing user-controlled 32-bit immediates to survive unblinded into JIT-compiled native code. This backport addresses CVE-2026-23417 by manually constructing the BPF_STX instruction to preserve the PROBE_MEM32 mode, which would otherwise be lost if using the BPF_STX_MEM() macro. Origin: upstream, https://git.kernel.org/linus/2321a9596d2260310267622e0ad8fbfa6f95378f Bug-Debian: https://security-tracker.debian.org/tracker/CVE-2026-23417 Forwarded: not-needed Author: Linus Torvalds <[email protected]> Reviewed-by: Benjamin Leon Dubos <[email protected]> Last-Update: 2026-04-03 Applied-Upstream: 7.0-rc5 --- a/kernel/bpf/core.c +++ b/kernel/bpf/core.c @@ -1419,6 +1419,26 @@ *to++ = BPF_ALU64_IMM(BPF_XOR, BPF_REG_AX, imm_rnd); *to++ = BPF_STX_MEM(from->code, from->dst_reg, BPF_REG_AX, from->off); break; + + case BPF_ST | BPF_PROBE_MEM32 | BPF_DW: + case BPF_ST | BPF_PROBE_MEM32 | BPF_W: + case BPF_ST | BPF_PROBE_MEM32 | BPF_H: + case BPF_ST | BPF_PROBE_MEM32 | BPF_B: + *to++ = BPF_ALU64_IMM(BPF_MOV, BPF_REG_AX, imm_rnd ^ from->imm); + *to++ = BPF_ALU64_IMM(BPF_XOR, BPF_REG_AX, imm_rnd); + /* + * Cannot use BPF_STX_MEM() macro here as it + * hardcodes BPF_MEM mode, losing PROBE_MEM32 + * and breaking arena addressing in the JIT. + */ + *to++ = (struct bpf_insn) { + .code = BPF_STX | BPF_PROBE_MEM32 | BPF_SIZE(from->code), + .dst_reg = from->dst_reg, + .src_reg = BPF_REG_AX, + .off = from->off, + }; + break; + } out: return to - to_buff;
