-
-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix security hole checking unpacked kernel headers #3033
Conversation
Possible to add a unit test for file_exists_and_ownedby_root()? Can easily create a non-root owned file. And could probably use |
46a0a2d
to
f7b26c5
Compare
@danobi Good call. Added. |
f7b26c5
to
b4b2b61
Compare
tests/utils.cpp
Outdated
std::string tmpdir = "/tmp/bpftrace-test-utils-XXXXXX"; | ||
std::string file1 = "/ownedby-user"; | ||
std::string file2 = "/no-exists"; | ||
if (::mkdtemp(&tmpdir[0]) == nullptr) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit
if (::mkdtemp(&tmpdir[0]) == nullptr) { | |
if (::mkdtemp(tmpdir.data()) == nullptr) { |
} | ||
|
||
int fd; | ||
fd = open((tmpdir + file1).c_str(), O_CREAT, S_IRUSR); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ASSERT_GE(fd, 0) ?
Make sure to check that the unpacked kheaders tar is owned by root to prevent bpftrace from loading compromised linux headers.
b4b2b61
to
7b6f3f6
Compare
Thanks! |
Make sure to check that the unpacked kheaders tar is owned by root to prevent bpftrace from loading compromised linux headers. Co-authored-by: Jordan Rome <jordalgo@fedoraproject.org>
Make sure to check that the unpacked kheaders tar is owned by root to prevent bpftrace from loading compromised linux headers. Co-authored-by: Jordan Rome <jordalgo@fedoraproject.org>
I'm afraid this is not fixed yet. If a user build a valid kheaders tree in /tmp/kheaders-$(uname -r) bpftrace will show an error message, but but proceed to use use the possibly compromised headers none the less:
If the user has an empty keaders-$(uname -r) directory it seems that bpftrace will overwrite it, but not if it isn't empty.
Or maybe we should exit as soon as wrong ownership is detected. |
@jeromemarchand Good catch! I think maybe there is confusion around |
The potentially compromised temporary kheaders path was not being overwritten by `rename`. This meant that the compromised path was still being used and read from. Instead of continuing just abort and direct the user to delete this compromised path. Reported here: bpftrace#3033
Second attempt to fix here: #3154 |
The potentially compromised temporary kheaders path was not being overwritten by `rename`. This meant that the compromised path was still being used and read from. Instead of continuing just abort and direct the user to delete this compromised path. Reported here: bpftrace#3033
Looking in shared writeable locations for kernel headers is inherently risky even bpftrace does the unpacking. Remove this functionality and let the user specify the path to these headers if we can't find them in known locations. References: bpftrace#3033 bpftrace#3154
Looking in shared writeable locations for kernel headers is inherently risky even bpftrace does the unpacking. Remove this functionality and let the user specify the path to these headers if we can't find them in known locations. References: bpftrace#3033 bpftrace#3154
Looking in shared writeable locations for kernel headers is inherently risky even bpftrace does the unpacking. Remove this functionality and let the user specify the path to these headers if we can't find them in known locations. References: bpftrace#3033 bpftrace#3154
Looking in shared writeable locations for kernel headers is inherently risky even bpftrace does the unpacking. Remove this functionality and let the user specify the path to these headers if we can't find them in known locations. References: bpftrace#3033 bpftrace#3154
Looking in shared writeable locations for kernel headers is inherently risky even bpftrace does the unpacking. Remove this functionality and let the user specify the path to these headers if we can't find them in known locations. References: #3033 #3154 Co-authored-by: Jordan Rome <jordalgo@fedoraproject.org>
Looking in shared writeable locations for kernel headers is inherently risky even bpftrace does the unpacking. Remove this functionality and let the user specify the path to these headers if we can't find them in known locations. References: bpftrace#3033 bpftrace#3154 Co-authored-by: Jordan Rome <jordalgo@fedoraproject.org>
Looking in shared writeable locations for kernel headers is inherently risky even bpftrace does the unpacking. Remove this functionality and let the user specify the path to these headers if we can't find them in known locations. References: #3033 #3154 Co-authored-by: Jordan Rome <jordalgo@fedoraproject.org>
Make sure to check that the unpacked kheaders tar
is owned by root to prevent bpftrace from loading
compromised linux headers.
Borrowed from @brendangregg here: iovisor/bcc#4928
Tested:
Checklist
man/adoc/bpftrace.adoc
CHANGELOG.md