I add yesterday disasm for jitted eBPF code. To put it mildly this code is very poor
Every function has 7 bytes of nops in prolog. Comment says that this is for BPF trampoline - well, ok
Lots of code like
mov eax, 0x1 cmp r14, 0x2 jnz 0xc0561497 xor eax, eax0xc0561497: ...Lots of code like
mov rdi, 0xffff8fd687f3e000add rdi, 0x110and rdi, 0xfffand rdi, 0xfff
And finally
you can patch it. Sure it was protected with RO - see call to bpf_jit_binary_lock_ro in function bpf_int_jit_compile but
- you can use old trick with cr0
- you can call set_memory_rw
and yes - this patches is very hard to detect. Really HARD