Control: tag -1 pending
Hello Jakub,
Thank you for your bug report. I have prepared a fix and tested it
locally. Will be uploading it soon today.
rrs@chutzpah:/var/tmp$ cat /tmp/kheaders-6.1.0-2-amd64/include/linux/kconfig.h
#error this header is malicious
17:19 ♒♒♒☹ => 1
rrs@chutzpah:/var/tmp$ sudo opensnoop-bpfcc
modprobe: FATAL: Module kheaders not found in directory
/lib/modules/6.1.0-2-amd64
Unable to find kernel headers. Try rebuilding kernel with CONFIG_IKHEADERS=m
(module) or installing the kernel development package for your running kernel
version.
chdir(/lib/modules/6.1.0-2-amd64/build): No such file or directory
Traceback (most recent call last):
File "/usr/sbin/opensnoop-bpfcc", line 261, in
b = BPF(text='')
File "/usr/lib/python3/dist-packages/bcc/__init__.py", line 476, in __init__
raise Exception("Failed to compile BPF module %s" % (src_file or ""))
Exception: Failed to compile BPF module
17:19 ♒♒♒☹ => 1
rrs@chutzpah:/var/tmp$ sudo apt install linux-headers-amd64
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
linux-headers-6.1.0-2-amd64 linux-headers-6.1.0-2-common
The following NEW packages will be installed:
linux-headers-6.1.0-2-amd64 linux-headers-6.1.0-2-common linux-headers-amd64
0 upgraded, 3 newly installed, 0 to remove and 0 not upgraded.
Need to get 10.8 MB/10.8 MB of archives.
After this operation, 60.9 MB of additional disk space will be used.
Do you want to continue? [Y/n]
Get:1 http://deb.debian.org/debian unstable/main amd64
linux-headers-6.1.0-2-common all 6.1.7-1 [9,717 kB]
Get:2 http://deb.debian.org/debian unstable/main amd64
linux-headers-6.1.0-2-amd64 amd64 6.1.7-1 [1,099 kB]
Fetched 10.8 MB in 0s (25.6 MB/s)
Retrieving bug reports... Done
Parsing Found/Fixed information... Done
Selecting previously unselected package linux-headers-6.1.0-2-common.
(Reading database ... 328518 files and directories currently installed.)
Preparing to unpack .../linux-headers-6.1.0-2-common_6.1.7-1_all.deb ...
Unpacking linux-headers-6.1.0-2-common (6.1.7-1) ...
Selecting previously unselected package linux-headers-6.1.0-2-amd64.
Preparing to unpack .../linux-headers-6.1.0-2-amd64_6.1.7-1_amd64.deb ...
Unpacking linux-headers-6.1.0-2-amd64 (6.1.7-1) ...
Selecting previously unselected package linux-headers-amd64.
Preparing to unpack .../linux-headers-amd64_6.1.7-1_amd64.deb ...
Unpacking linux-headers-amd64 (6.1.7-1) ...
Setting up linux-headers-6.1.0-2-common (6.1.7-1) ...
Setting up linux-headers-6.1.0-2-amd64 (6.1.7-1) ...
Setting up linux-headers-amd64 (6.1.7-1) ...
17:20 ♒♒♒ ☺
rrs@chutzpah:/var/tmp$ sudo opensnoop-bpfcc
PIDCOMM FD ERR PATH
1629 ksystemstats 22 0 /proc/diskstats
1629 KIO::WorkerThre24 0 /proc/self/mountinfo
1629 KIO::WorkerThre24 0 /dev/disk/by-label
1629 KIO::WorkerThre22 0 /proc/self/mountinfo
1629 KIO::WorkerThre22 0 /dev/disk/by-label
1629 KIO::WorkerThre22 0 /proc/self/mountinfo
... snipped ...
On Wed, 2023-01-11 at 19:09 +0100, Jakub Wilk wrote:
> Package: bpfcc-tools
> Version: 0.25.0+ds-1
> Tags: security
>
> If kernel headers are not installed in the usual place, the BPF tools
> try to look them up in /tmp/kheaders-$(uname -r)/, even when this
> directory is owned by another user.
>
> This can be exploited for denial of service, or likely something
> worse.
>
> To reproduce, run this as a normal user:
>
> $ mkdir /tmp/kheaders-$(uname -r)/
> $ mkdir -p /tmp/kheaders-$(uname -r)/include/linux/
> $ echo "#error this header is malicious" > /tmp/kheaders-$(uname
> -r)/include/linux/kconfig.h
>
> Then run this as root:
>
> # opensnoop-bpfcc
> In file included from :1:
> ././include/linux/kconfig.h:1:2: error: this header is malicious
> #error this header is malicious
> ^
> In file included from :2:
> /virtual/include/bcc/bpf.h:12:10: fatal error: 'linux/types.h'
> file not found
> #include
> ^~~
> 2 errors generated.
> Traceback (most recent call last):
> File "/usr/sbin/opensnoop-bpfcc", line 261, in
> b = BPF(text='')
>
> File "/usr/lib/python3/dist-packages/bcc/__init__.py", line
> 476, in __init__
> raise Exception("Failed to compile BPF module %s" % (src_file
> or ""))
> Exception: Failed to compile BPF module
>
>
> -- System Information:
> Debian Release: bookworm/sid
> APT prefers unstable
> APT policy: (500, 'unstable')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 6.1.0-1-amd64 (SMP w/1 CPU thread; PREEMPT)
> Locale: LANG=C.UTF-8, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8), LANGUAGE
> not set
> Shell: /bin/sh linked to /usr/bin/dash
> Init: systemd (via /run/systemd/sy
