Control: tag -1 pending
Hello Jakub, Thank you for your bug report. I have prepared a fix and tested it locally. Will be uploading it soon today. rrs@chutzpah:/var/tmp$ cat /tmp/kheaders-6.1.0-2-amd64/include/linux/kconfig.h #error this header is malicious 17:19 ♒♒♒ ☹ => 1 rrs@chutzpah:/var/tmp$ sudo opensnoop-bpfcc modprobe: FATAL: Module kheaders not found in directory /lib/modules/6.1.0-2-amd64 Unable to find kernel headers. Try rebuilding kernel with CONFIG_IKHEADERS=m (module) or installing the kernel development package for your running kernel version. chdir(/lib/modules/6.1.0-2-amd64/build): No such file or directory Traceback (most recent call last): File "/usr/sbin/opensnoop-bpfcc", line 261, in <module> b = BPF(text='') ^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/bcc/__init__.py", line 476, in __init__ raise Exception("Failed to compile BPF module %s" % (src_file or "<text>")) Exception: Failed to compile BPF module <text> 17:19 ♒♒♒ ☹ => 1 rrs@chutzpah:/var/tmp$ sudo apt install linux-headers-amd64 Reading package lists... Done Building dependency tree... Done Reading state information... Done The following additional packages will be installed: linux-headers-6.1.0-2-amd64 linux-headers-6.1.0-2-common The following NEW packages will be installed: linux-headers-6.1.0-2-amd64 linux-headers-6.1.0-2-common linux-headers-amd64 0 upgraded, 3 newly installed, 0 to remove and 0 not upgraded. Need to get 10.8 MB/10.8 MB of archives. After this operation, 60.9 MB of additional disk space will be used. Do you want to continue? [Y/n] Get:1 http://deb.debian.org/debian unstable/main amd64 linux-headers-6.1.0-2-common all 6.1.7-1 [9,717 kB] Get:2 http://deb.debian.org/debian unstable/main amd64 linux-headers-6.1.0-2-amd64 amd64 6.1.7-1 [1,099 kB] Fetched 10.8 MB in 0s (25.6 MB/s) Retrieving bug reports... Done Parsing Found/Fixed information... Done Selecting previously unselected package linux-headers-6.1.0-2-common. (Reading database ... 328518 files and directories currently installed.) Preparing to unpack .../linux-headers-6.1.0-2-common_6.1.7-1_all.deb ... Unpacking linux-headers-6.1.0-2-common (6.1.7-1) ... Selecting previously unselected package linux-headers-6.1.0-2-amd64. Preparing to unpack .../linux-headers-6.1.0-2-amd64_6.1.7-1_amd64.deb ... Unpacking linux-headers-6.1.0-2-amd64 (6.1.7-1) ... Selecting previously unselected package linux-headers-amd64. Preparing to unpack .../linux-headers-amd64_6.1.7-1_amd64.deb ... Unpacking linux-headers-amd64 (6.1.7-1) ... Setting up linux-headers-6.1.0-2-common (6.1.7-1) ... Setting up linux-headers-6.1.0-2-amd64 (6.1.7-1) ... Setting up linux-headers-amd64 (6.1.7-1) ... 17:20 ♒♒♒ ☺ rrs@chutzpah:/var/tmp$ sudo opensnoop-bpfcc PID COMM FD ERR PATH 1629 ksystemstats 22 0 /proc/diskstats 1629 KIO::WorkerThre 24 0 /proc/self/mountinfo 1629 KIO::WorkerThre 24 0 /dev/disk/by-label 1629 KIO::WorkerThre 22 0 /proc/self/mountinfo 1629 KIO::WorkerThre 22 0 /dev/disk/by-label 1629 KIO::WorkerThre 22 0 /proc/self/mountinfo ... snipped ... On Wed, 2023-01-11 at 19:09 +0100, Jakub Wilk wrote: > Package: bpfcc-tools > Version: 0.25.0+ds-1 > Tags: security > > If kernel headers are not installed in the usual place, the BPF tools > try to look them up in /tmp/kheaders-$(uname -r)/, even when this > directory is owned by another user. > > This can be exploited for denial of service, or likely something > worse. > > To reproduce, run this as a normal user: > > $ mkdir /tmp/kheaders-$(uname -r)/ > $ mkdir -p /tmp/kheaders-$(uname -r)/include/linux/ > $ echo "#error this header is malicious" > /tmp/kheaders-$(uname > -r)/include/linux/kconfig.h > > Then run this as root: > > # opensnoop-bpfcc > In file included from <built-in>:1: > ././include/linux/kconfig.h:1:2: error: this header is malicious > #error this header is malicious > ^ > In file included from <built-in>:2: > /virtual/include/bcc/bpf.h:12:10: fatal error: 'linux/types.h' > file not found > #include <linux/types.h> > ^~~~~~~~~~~~~~~ > 2 errors generated. > Traceback (most recent call last): > File "/usr/sbin/opensnoop-bpfcc", line 261, in <module> > b = BPF(text='') > ^^^^^^^^^^^^ > File "/usr/lib/python3/dist-packages/bcc/__init__.py", line > 476, in __init__ > raise Exception("Failed to compile BPF module %s" % (src_file > or "<text>")) > Exception: Failed to compile BPF module <text> > > > -- System Information: > Debian Release: bookworm/sid > APT prefers unstable > APT policy: (500, 'unstable') > Architecture: amd64 (x86_64) > > Kernel: Linux 6.1.0-1-amd64 (SMP w/1 CPU thread; PREEMPT) > Locale: LANG=C.UTF-8, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8), LANGUAGE > not set > Shell: /bin/sh linked to /usr/bin/dash > Init: systemd (via /run/systemd/system) > LSM: AppArmor: enabled > > Versions of packages bpfcc-tools depends on: > ii python3 3.11.1-1 > ii python3-bpfcc 0.25.0+ds-1 > ii python3-netaddr 0.8.0-2 > -- Ritesh Raj Sarraf | http://people.debian.org/~rrs Debian - The Universal Operating System
signature.asc
Description: This is a digitally signed message part