Fix security hole checking unpacked kernel headers #3033

jordalgo · 2024-03-06T15:24:51Z

Make sure to check that the unpacked kheaders tar
is owned by root to prevent bpftrace from loading
compromised linux headers.

Borrowed from @brendangregg here: iovisor/bcc#4928

Tested:

$ sudo chown 1000 /tmp/kheaders-6.7.4-200.fc39.aarch64
$ sudo ./src/bpftrace test-script.bt 
ERROR: header file ownership expected to be root: /tmp/kheaders-6.7.4-200.fc39.aarch64

Checklist

Language changes are updated in man/adoc/bpftrace.adoc
User-visible and non-trivial changes updated in CHANGELOG.md
The new behaviour is covered by tests

danobi · 2024-03-06T15:59:47Z

Possible to add a unit test for file_exists_and_ownedby_root()? Can easily create a non-root owned file. And could probably use /proc/1/.. for a root owned file?

jordalgo · 2024-03-06T17:25:40Z

Possible to add a unit test for file_exists_and_ownedby_root()? Can easily create a non-root owned file. And could probably use /proc/1/.. for a root owned file?

@danobi Good call. Added.

danobi · 2024-03-06T17:52:52Z

tests/utils.cpp

+  std::string tmpdir = "/tmp/bpftrace-test-utils-XXXXXX";
+  std::string file1 = "/ownedby-user";
+  std::string file2 = "/no-exists";
+  if (::mkdtemp(&tmpdir[0]) == nullptr) {


nit

Suggested change

if (::mkdtemp(&tmpdir[0]) == nullptr) {

if (::mkdtemp(tmpdir.data()) == nullptr) {

danobi · 2024-03-06T17:53:28Z

tests/utils.cpp

+  }
+
+  int fd;
+  fd = open((tmpdir + file1).c_str(), O_CREAT, S_IRUSR);


ASSERT_GE(fd, 0) ?

Make sure to check that the unpacked kheaders tar is owned by root to prevent bpftrace from loading compromised linux headers.

brendangregg · 2024-03-06T23:28:28Z

Thanks!

Make sure to check that the unpacked kheaders tar is owned by root to prevent bpftrace from loading compromised linux headers. Co-authored-by: Jordan Rome <jordalgo@fedoraproject.org>

jeromemarchand · 2024-05-06T16:25:40Z

I'm afraid this is not fixed yet. If a user build a valid kheaders tree in /tmp/kheaders-$(uname -r) bpftrace will show an error message, but but proceed to use use the possibly compromised headers none the less:

# /usr/share/bpftrace/tools/execsnoop.bt 
ERROR: header file ownership expected to be root: /tmp/kheaders-5.14.0-431.rh29064.el9.x86_64
Attaching 3 probes...
TIME            PID     PPID    ARGS
18:15:38.492036 3116    1934    ls --color=auto -l --color=auto

If the user has an empty keaders-$(uname -r) directory it seems that bpftrace will overwrite it, but not if it isn't empty.
I think the problem is we don't check whether moving tpmdir to shared_path succeeds at the end of unpack_kheaders_tar_xz():

  int rc = ::pclose(tar);
  if (rc == 0) {
    tmpdir.move_to(shared_path);
    return shared_path;
  }

Or maybe we should exit as soon as wrong ownership is detected.

jordalgo · 2024-05-06T19:10:56Z

@jeromemarchand Good catch! I think maybe there is confusion around rename as it seems to be implementation specific if the new file name exists. On my machine, it's doing what you observed in that it doesn't replace the compromised headers path and just re-uses. I'll add some deletion and extra checking (alternatively we can do what you said and just exit if the permissions are not root).

The potentially compromised temporary kheaders path was not being overwritten by `rename`. This meant that the compromised path was still being used and read from. Instead of continuing just abort and direct the user to delete this compromised path. Reported here: bpftrace#3033

jordalgo · 2024-05-06T19:47:24Z

Second attempt to fix here: #3154

The potentially compromised temporary kheaders path was not being overwritten by `rename`. This meant that the compromised path was still being used and read from. Instead of continuing just abort and direct the user to delete this compromised path. Reported here: bpftrace#3033

Looking in shared writeable locations for kernel headers is inherently risky even bpftrace does the unpacking. Remove this functionality and let the user specify the path to these headers if we can't find them in known locations. References: bpftrace#3033 bpftrace#3154

Looking in shared writeable locations for kernel headers is inherently risky even bpftrace does the unpacking. Remove this functionality and let the user specify the path to these headers if we can't find them in known locations. References: #3033 #3154 Co-authored-by: Jordan Rome <jordalgo@fedoraproject.org>

Looking in shared writeable locations for kernel headers is inherently risky even bpftrace does the unpacking. Remove this functionality and let the user specify the path to these headers if we can't find them in known locations. References: bpftrace#3033 bpftrace#3154 Co-authored-by: Jordan Rome <jordalgo@fedoraproject.org>

Looking in shared writeable locations for kernel headers is inherently risky even bpftrace does the unpacking. Remove this functionality and let the user specify the path to these headers if we can't find them in known locations. References: #3033 #3154 Co-authored-by: Jordan Rome <jordalgo@fedoraproject.org>

jordalgo requested review from ajor, viktormalik, danobi and fbs as code owners March 6, 2024 15:24

danobi approved these changes Mar 6, 2024

View reviewed changes

jordalgo force-pushed the security-header-fix branch from 46a0a2d to f7b26c5 Compare March 6, 2024 17:25

jordalgo force-pushed the security-header-fix branch from f7b26c5 to b4b2b61 Compare March 6, 2024 17:32

danobi reviewed Mar 6, 2024

View reviewed changes

Fix security hole checking unpacked kernel headers

7b6f3f6

Make sure to check that the unpacked kheaders tar is owned by root to prevent bpftrace from loading compromised linux headers.

jordalgo force-pushed the security-header-fix branch from b4b2b61 to 7b6f3f6 Compare March 6, 2024 18:11

danobi approved these changes Mar 6, 2024

View reviewed changes

jordalgo merged commit 4be4b71 into bpftrace:master Mar 6, 2024
19 checks passed

danobi mentioned this pull request Mar 7, 2024

Fix security hole checking unpacked kernel headers (#3033) #3037

Merged

3 tasks

jordalgo mentioned this pull request May 6, 2024

Fix bug in not overwriting compromised path #3154

Closed

3 tasks

jordalgo mentioned this pull request May 7, 2024

Don't unpack kernel headers or look in tmp #3156

Merged

3 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fix security hole checking unpacked kernel headers #3033

Fix security hole checking unpacked kernel headers #3033

jordalgo commented Mar 6, 2024

danobi commented Mar 6, 2024

jordalgo commented Mar 6, 2024

danobi Mar 6, 2024

danobi Mar 6, 2024

brendangregg commented Mar 6, 2024

jeromemarchand commented May 6, 2024

jordalgo commented May 6, 2024

jordalgo commented May 6, 2024

	if (::mkdtemp(&tmpdir[0]) == nullptr) {
	if (::mkdtemp(tmpdir.data()) == nullptr) {

Fix security hole checking unpacked kernel headers #3033

Fix security hole checking unpacked kernel headers #3033

Conversation

jordalgo commented Mar 6, 2024

Checklist

danobi commented Mar 6, 2024

jordalgo commented Mar 6, 2024

danobi Mar 6, 2024

Choose a reason for hiding this comment

danobi Mar 6, 2024

Choose a reason for hiding this comment

brendangregg commented Mar 6, 2024

jeromemarchand commented May 6, 2024

jordalgo commented May 6, 2024

jordalgo commented May 6, 2024