I reviewed bpftrace 0.20.1 as checked into noble. This shouldn't be
considered a full audit but rather a quick gauge of maintainability.
> bpftrace is a high-level tracing language for Linux enhanced Berkeley
Packet Filter (eBPF) available in recent Linux kernels (4.x). bpftrace
uses LLVM as a backend to compile scripts to BPF-bytecode and makes use
of BCC for interacting with the Linux BPF system, as well as existing
Linux tracing capabilities: kernel dynamic tracing (kprobes), user-level
dynamic tracing (uprobes), and tracepoints. The bpftrace language is
inspired by awk and C, and predecessor tracers such as DTrace and
SystemTap. bpftrace was created by Alastair Robertson.
- CVE History:
- none
- Build-Depends?
- nothing concerning
- except what MIR Team mentions (libcereal-dev)
- pre/post inst/rm scripts?
- none
- init scripts?
- none
- systemd units?
- none
- dbus services?
- none
- setuid binaries?
- none
- binaries in PATH?
- ./usr/bin/bpftrace
- ./usr/bin/bpftrace-aotrt
- ./usr/sbin/*.bt
- these are bpftrace tools/examples
- they are based on bcc code included in bpfcc-tools
- sudo fragments?
- none
- polkit files?
- none
- udev rules?
- none
- unit tests / autopkgtests?
- none !
- the ./usr/sbin/*.bt files would make excellent test cases though !
- cron jobs?
- none
- Build logs:
- warning building bpftrace(8) man page
- other binaries missing man pages
- -Wmaybe-uninitialized
- source: superfluous-file-pattern
- Processes spawned?
- can run modprobe kheaders
- exec rm -rf temp dir
- execve and exec_system expected for tracing
- ./src/bpftrace.cpp line 666 o.o
- Memory management?
- relatively light, mostly sprintf and memcpy
- see comments in bpftrace.cpp's perf_event_printer()
- memory use is carefully thought out
- File IO?
- opens /sys/kernel/kheaders.tar.xz (module must be loaded)
- files, descriptors, pipes, and pcap used for tracing
- Logging?
- extremely heavy use, as expected for tracing
- Environment variable usage?
- mostly BPFTRACE_ variables
- Use of privileged functions?
- ./src/attached_probe.cpp uses ioctl twice
- Use of cryptography / random number sources etc?
- none
- Use of temp files?
- yes, to load kheaders
- temp path is predictable, `// already unpacked`
- potentially, an unprivileged attacker could exploit this when a root user
runs bpftrace and loads Kernel Headers
- Resolved quickly by upstream! CVE-2024-2313
- Use of networking?
- moderate use
- potential danger for crafted input
- Use of WebKit?
- none
- Use of PolicyKit?
- none
- Any significant cppcheck results?
- none, besides tests and scripts
- Any significant Coverity results?
- appear to be false positives
- Any significant shellcheck results?
- none, besides tests, scripts, and CI
- Any significant bandit results?
- none
Running bpftrace without root privilege results in 'ERROR: bpftrace
currently only supports running as the root user.' :)
In most cases a bug in bpftrace will not cause a loss of security; root
already has complete control. Giving access to bpftrace to an
unprivileged user, telnet, etc would not be a vulnerability in bpftrace.
Running dangerous BPF code is not the fault of bpftrace. Attacks based
on parsing untrusted data, such as network traffic, is a threat. This
package is for performing inherently dangerous wizardry. This review
expects that developers will want to use these tools and that system
administrators will make wise choices.
Binaries from bpfcc-tools, libbpfcc, and bpftrace have redundant functions.
Please consder which binaries should be made default. In particular, most
bpftrace binaries are
merely examples.
CONFIG_IKHEADERS=m is already available \o/
Recent breaking change to `args` in v19.0 (Noble has 20.1, Jammy has
14.0). https://github.com/bpftrace/bpftrace/pull/2578
In code comments should be reviewed upstream: `// FIXME when iovisor/bcc#2064
is merged`
- https://github.com/bpftrace/bpftrace/issues/3061
Upstream was extraordinarily quick at addressing a potential security which was
reported to them \o/
- CVE-2024-2313
Security team ACK for promoting bpftrace to main.
** Changed in: bpftrace (Ubuntu)
Assignee: Ubuntu Security Team (ubuntu-security) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2052809
Title:
[MIR] bpftrace
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bpftrace/+bug/2052809/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
