Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#1028479: bpfcc-tools: insecure use of /tmp
278 views
Skip to first unread message
Jakub Wilk
Jan 11, 2023, 1:20:03 PM1/11/23
to
Package: bpfcc-tools
Version: 0.25.0+ds-1
Tags: security
If kernel headers are not installed in the usual place, the BPF tools
try to look them up in /tmp/kheaders-$(uname -r)/, even when this
directory is owned by another user.
This can be exploited for denial of service, or likely something worse.
To reproduce, run this as a normal user:
$ mkdir /tmp/kheaders-$(uname -r)/
$ mkdir -p /tmp/kheaders-$(uname -r)/include/linux/
$ echo "#error this header is malicious" > /tmp/kheaders-$(uname -r)/include/linux/kconfig.h
Then run this as root:
# opensnoop-bpfcc
In file included from <built-in>:1:
././include/linux/kconfig.h:1:2: error: this header is malicious
#error this header is malicious
^
In file included from <built-in>:2:
/virtual/include/bcc/bpf.h:12:10: fatal error: 'linux/types.h' file not found
#include <linux/types.h>
^~~~~~~~~~~~~~~
2 errors generated.
Traceback (most recent call last):
File "/usr/sbin/opensnoop-bpfcc", line 261, in <module>
b = BPF(text='')
^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/bcc/__init__.py", line 476, in __init__
raise Exception("Failed to compile BPF module %s" % (src_file or "<text>"))
Exception: Failed to compile BPF module <text>
-- System Information:
Debian Release: bookworm/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.1.0-1-amd64 (SMP w/1 CPU thread; PREEMPT)
Locale: LANG=C.UTF-8, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages bpfcc-tools depends on:
ii python3 3.11.1-1
ii python3-bpfcc 0.25.0+ds-1
ii python3-netaddr 0.8.0-2
--
Jakub Wilk
Version: 0.25.0+ds-1
Tags: security
If kernel headers are not installed in the usual place, the BPF tools
try to look them up in /tmp/kheaders-$(uname -r)/, even when this
directory is owned by another user.
This can be exploited for denial of service, or likely something worse.
To reproduce, run this as a normal user:
$ mkdir /tmp/kheaders-$(uname -r)/
$ mkdir -p /tmp/kheaders-$(uname -r)/include/linux/
$ echo "#error this header is malicious" > /tmp/kheaders-$(uname -r)/include/linux/kconfig.h
Then run this as root:
# opensnoop-bpfcc
In file included from <built-in>:1:
././include/linux/kconfig.h:1:2: error: this header is malicious
#error this header is malicious
^
In file included from <built-in>:2:
/virtual/include/bcc/bpf.h:12:10: fatal error: 'linux/types.h' file not found
#include <linux/types.h>
^~~~~~~~~~~~~~~
2 errors generated.
Traceback (most recent call last):
File "/usr/sbin/opensnoop-bpfcc", line 261, in <module>
b = BPF(text='')
^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/bcc/__init__.py", line 476, in __init__
raise Exception("Failed to compile BPF module %s" % (src_file or "<text>"))
Exception: Failed to compile BPF module <text>
-- System Information:
Debian Release: bookworm/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 6.1.0-1-amd64 (SMP w/1 CPU thread; PREEMPT)
Locale: LANG=C.UTF-8, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages bpfcc-tools depends on:
ii python3 3.11.1-1
ii python3-bpfcc 0.25.0+ds-1
ii python3-netaddr 0.8.0-2
--
Jakub Wilk
Ritesh Raj Sarraf
Jan 23, 2023, 7:10:05 AM1/23/23
to
Control: tag -1 pending
Hello Jakub,
Thank you for your bug report. I have prepared a fix and tested it
locally. Will be uploading it soon today.
rrs@chutzpah:/var/tmp$ cat /tmp/kheaders-6.1.0-2-amd64/include/linux/kconfig.h
rrs@chutzpah:/var/tmp$ sudo opensnoop-bpfcc
modprobe: FATAL: Module kheaders not found in directory /lib/modules/6.1.0-2-amd64
Unable to find kernel headers. Try rebuilding kernel with CONFIG_IKHEADERS=m (module) or installing the kernel development package for your running kernel version.
chdir(/lib/modules/6.1.0-2-amd64/build): No such file or directory
rrs@chutzpah:/var/tmp$ sudo apt install linux-headers-amd64
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
linux-headers-6.1.0-2-amd64 linux-headers-6.1.0-2-common
The following NEW packages will be installed:
linux-headers-6.1.0-2-amd64 linux-headers-6.1.0-2-common linux-headers-amd64
0 upgraded, 3 newly installed, 0 to remove and 0 not upgraded.
Need to get 10.8 MB/10.8 MB of archives.
After this operation, 60.9 MB of additional disk space will be used.
Do you want to continue? [Y/n]
Get:1 http://deb.debian.org/debian unstable/main amd64 linux-headers-6.1.0-2-common all 6.1.7-1 [9,717 kB]
Get:2 http://deb.debian.org/debian unstable/main amd64 linux-headers-6.1.0-2-amd64 amd64 6.1.7-1 [1,099 kB]
Fetched 10.8 MB in 0s (25.6 MB/s)
Retrieving bug reports... Done
Parsing Found/Fixed information... Done
Selecting previously unselected package linux-headers-6.1.0-2-common.
(Reading database ... 328518 files and directories currently installed.)
Preparing to unpack .../linux-headers-6.1.0-2-common_6.1.7-1_all.deb ...
Unpacking linux-headers-6.1.0-2-common (6.1.7-1) ...
Selecting previously unselected package linux-headers-6.1.0-2-amd64.
Preparing to unpack .../linux-headers-6.1.0-2-amd64_6.1.7-1_amd64.deb ...
Unpacking linux-headers-6.1.0-2-amd64 (6.1.7-1) ...
Selecting previously unselected package linux-headers-amd64.
Preparing to unpack .../linux-headers-amd64_6.1.7-1_amd64.deb ...
Unpacking linux-headers-amd64 (6.1.7-1) ...
Setting up linux-headers-6.1.0-2-common (6.1.7-1) ...
Setting up linux-headers-6.1.0-2-amd64 (6.1.7-1) ...
Setting up linux-headers-amd64 (6.1.7-1) ...
17:20 ♒♒♒ ☺
rrs@chutzpah:/var/tmp$ sudo opensnoop-bpfcc
PID COMM FD ERR PATH
1629 ksystemstats 22 0 /proc/diskstats
1629 KIO::WorkerThre 24 0 /proc/self/mountinfo
1629 KIO::WorkerThre 24 0 /dev/disk/by-label
1629 KIO::WorkerThre 22 0 /proc/self/mountinfo
1629 KIO::WorkerThre 22 0 /dev/disk/by-label
1629 KIO::WorkerThre 22 0 /proc/self/mountinfo
... snipped ...
Ritesh Raj Sarraf | http://people.debian.org/~rrs
Debian - The Universal Operating System
Hello Jakub,
Thank you for your bug report. I have prepared a fix and tested it
locally. Will be uploading it soon today.
rrs@chutzpah:/var/tmp$ cat /tmp/kheaders-6.1.0-2-amd64/include/linux/kconfig.h
#error this header is malicious
17:19 ♒♒♒ ☹ => 1
rrs@chutzpah:/var/tmp$ sudo opensnoop-bpfcc
modprobe: FATAL: Module kheaders not found in directory /lib/modules/6.1.0-2-amd64
Unable to find kernel headers. Try rebuilding kernel with CONFIG_IKHEADERS=m (module) or installing the kernel development package for your running kernel version.
chdir(/lib/modules/6.1.0-2-amd64/build): No such file or directory
Traceback (most recent call last):
File "/usr/sbin/opensnoop-bpfcc", line 261, in <module>
b = BPF(text='')
^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/bcc/__init__.py", line 476, in __init__
raise Exception("Failed to compile BPF module %s" % (src_file or "<text>"))
Exception: Failed to compile BPF module <text>
17:19 ♒♒♒ ☹ => 1
File "/usr/sbin/opensnoop-bpfcc", line 261, in <module>
b = BPF(text='')
^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/bcc/__init__.py", line 476, in __init__
raise Exception("Failed to compile BPF module %s" % (src_file or "<text>"))
Exception: Failed to compile BPF module <text>
rrs@chutzpah:/var/tmp$ sudo apt install linux-headers-amd64
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
linux-headers-6.1.0-2-amd64 linux-headers-6.1.0-2-common
The following NEW packages will be installed:
linux-headers-6.1.0-2-amd64 linux-headers-6.1.0-2-common linux-headers-amd64
0 upgraded, 3 newly installed, 0 to remove and 0 not upgraded.
Need to get 10.8 MB/10.8 MB of archives.
After this operation, 60.9 MB of additional disk space will be used.
Do you want to continue? [Y/n]
Get:1 http://deb.debian.org/debian unstable/main amd64 linux-headers-6.1.0-2-common all 6.1.7-1 [9,717 kB]
Get:2 http://deb.debian.org/debian unstable/main amd64 linux-headers-6.1.0-2-amd64 amd64 6.1.7-1 [1,099 kB]
Fetched 10.8 MB in 0s (25.6 MB/s)
Retrieving bug reports... Done
Parsing Found/Fixed information... Done
Selecting previously unselected package linux-headers-6.1.0-2-common.
(Reading database ... 328518 files and directories currently installed.)
Preparing to unpack .../linux-headers-6.1.0-2-common_6.1.7-1_all.deb ...
Unpacking linux-headers-6.1.0-2-common (6.1.7-1) ...
Selecting previously unselected package linux-headers-6.1.0-2-amd64.
Preparing to unpack .../linux-headers-6.1.0-2-amd64_6.1.7-1_amd64.deb ...
Unpacking linux-headers-6.1.0-2-amd64 (6.1.7-1) ...
Selecting previously unselected package linux-headers-amd64.
Preparing to unpack .../linux-headers-amd64_6.1.7-1_amd64.deb ...
Unpacking linux-headers-amd64 (6.1.7-1) ...
Setting up linux-headers-6.1.0-2-common (6.1.7-1) ...
Setting up linux-headers-6.1.0-2-amd64 (6.1.7-1) ...
Setting up linux-headers-amd64 (6.1.7-1) ...
17:20 ♒♒♒ ☺
rrs@chutzpah:/var/tmp$ sudo opensnoop-bpfcc
PID COMM FD ERR PATH
1629 ksystemstats 22 0 /proc/diskstats
1629 KIO::WorkerThre 24 0 /proc/self/mountinfo
1629 KIO::WorkerThre 24 0 /dev/disk/by-label
1629 KIO::WorkerThre 22 0 /proc/self/mountinfo
1629 KIO::WorkerThre 22 0 /dev/disk/by-label
1629 KIO::WorkerThre 22 0 /proc/self/mountinfo
... snipped ...
Debian - The Universal Operating System
0 new messages