How we found and fixed an eBPF Linux kernel vulnerability (opens in new tab)

(bughunters.google.com)

268 pointsxxmarkuski1y ago65 comments

65 comments

29 comments · 5 top-level

tptacek1y ago· 7 in thread

A reminder that on the platforms eBPF is most commonly used, verifier bugs don't matter much, because unprivileged code isn't allowed to load eBPF programs to begin with. Bugs like this are thus root -> ring0 vulnerabilities. That's not nothing, but for serverside work it's usually worth the tradeoff, especially because eBPF's track record for kernel LPEs is actually pretty strong compared to the kernel as a whole.

In the setting eBPF is used today, most of the value of the verifier is that it's hard to accidentally crash your kernel with a bad eBPF program. That is comically untrue about an ordinary LKM.

chc41y ago

The PoC uses eBPF maps as their out-of-bounds pointer, but it sounds like it would also be exploitable via non-extended BPF programs loadable via seccomp since it's just improper scalar value range tracking, which doesn't require any privileges on most platforms.

And, of course, root -> ring0 is less of a problem with unprivileged user namespaces where you can make yourself "root", as we've seen in every eBPF bug PoC since distros started turning that on (and have since turned it off again, mostly)

tptacek1y ago

I just want to say that this is a hell of a nerd snipe.

1 more reply

dumpling7771y ago

Let's not forget also that we can give CAP_BPF to containers. With things like Cilium on the rise, the attack vector of landing in container environment that has cap_bpf is more and more realistic

tptacek1y ago

I don't believe shared-kernel container systems are real security boundaries to begin with, so, to me, a container running with CAP_BPF isn't much different than any other program a machine owner might opt to run; the point is that you trust the workload, and so the verifier is more of a safety net than a vault door.

1 more reply

10000truths1y ago

Verifier bugs matter because resolving them is a prerequisite for secure unprivileged use of eBPF.

mort961y ago

Verifier bugs matter for the kernel, which wants eBPF to be secure even for unprivileged accounts.

Verifier bugs don't matter that much, for most Linux users, right now, because unprivileged accounts can't use eBPF.

tptacek1y ago

Put it this way: verifier bugs matter, but people probably don't do unscheduled fleetwide updates to fix them.

katzinsky1y ago· 7 in thread

The one time I tried to use eBPF it wasn't expressive enough for what I needed.

Does the limited flexibility it provides really justify the added kernel space complexity? I can understand it for packet filtering but some of the other stuff it's used for like sandboxing just isn't convincing.

knorker1y ago

There are other technologies for this, such as DTrace. The kernel's choice isn't eBPF or nothing, it's eBPF or something else like it.

You may not use it much, but some people use it all day. I think FAANG engineers have said that they run tens (hundreds?) of these things on all servers, all the time. And that's excluding one-offs. And FAANG has full time kernel coders on staff, so they're also funding this complexity that they use.

But also yes, I've solved problems by using eBPF. Problems that are basically unsolvable by non-kernel-gurus without eBPF. I rarely need it. But when I need it, there's nothing else that does the trick.

In some cases, even for kernel gurus, it's a choice between eBPF or maintaining a custom kernel patch forever.

znpy1y ago

> There are other technologies for this, such as DTrace. The kernel's choice isn't eBPF or nothing, it's eBPF or something else like it.

To add on this point: I successfully used SystemTap a few years ago to debug an issue i was having.

Before going further: keep in mind that my point of view (at the time) was the one of somebody working as a devops engineer, debugging some annoyances with containers (managed by Kubernetes) going OOM. I'm no kernel developer and I have a basic-good understanding of the C language based on first-years university course and geekyness/nerdyness. So in this context I'm a glorified hobbyist.

Learning SystemTap is easier in my opinion. I followed a tutorial by RedHat to get the hang of the manual parts but after that I remember being fairly easy:

1. Try to reproduce the issue you're having (fairly easy for me)

2. Skim the source code of the linux about the part that you think might be relevant (for me it was the oom killer)

3. Add probes in there, see if they fire when you reproduce the issue

4. Look back at the source code of the kernel and see what chain of data structures and fields you can follow to reach the piece of information you need

5. Improve your probes

6. If successful, you're done

7. Goto 4

I think it took like one or two days between following the tutorial and getting a working probe.

It was a pleasant couple of days.

fch421y ago

DTrace and eBPF are "not so different" in the sense that dtrace programs / hooks are also a form of low-level code / instruction set that the kernel (dtrace driver) validates at load. It's an "internal" artifact of dtrace though, https://github.com/illumos/illumos-gate/blob/master/usr/src/... and to my knowledge, nothing like a clang/gcc "dtrace target" exists to translate more-or-less arbitrary higher-level language "to low-level dtrace".

The additional flexibility eBPF gets from this is amazing really. While dtrace is a more-targeted (and for its intended usecases, in some situations still superior to eBPF) but also less-general tool.

(citrus vs. stone fruit ...)

1 more reply

lynxmachine1y ago

> I've solved problems by using eBPF. Problems that are basically unsolvable by non-kernel-gurus without eBPF. I rarely need it.

Would you mind giving some examples? I recently started learning about ebpf's from Liz Rice's book and is curious about what makes ebpf the correct choice in a particular scenario.

katzinsky1y ago

I'm not sure "Google engineers use it" is a very good counter argument. They have a very high tolerance for complexity and like most large corporations what actually gets built and used tends to be driven more by internal politics than technical merit.

2 more replies

ssahoo1y ago

Wouldn't even the classic loadable kernel mode driver be a better choice than a patch and eBpf? I know they are unsafe but people who deal with it, know the power comes with responsibility.

tptacek1y ago

No? SREs roll eBPF programs on the fly just in the process of debugging problems; if you tried to do that with an LKM, you'd almost certainly blow up your system. People who write Linux kernel code routinely crash their systems in the process of development.

TacticalCoder1y ago· 5 in thread

> “Uno no es ninguno” (One is none)

Literally "One not is none", aka "One is not none".

jolmg1y ago

In Spanish, it's common for double negatives to not actually be double negatives. For example, if you wanted to say "there's nothing here", you'd say "no hay nada aquí", which word-for-word means "there's not nothing here".

Checking out the Royal Spanish Academy, here's what they say about it:

https://www.rae.es/espanol-al-dia/doble-negacion-no-vino-nad...

> The so-called "double negation" is due to the obligatory negative agreement that must be established in Spanish, and other Romance languages, in certain circumstances (see New Grammar, § 48.3d), which results in the joint presence in the statement of the adverb no and other elements that also have a negative meaning.

> The concurrence of these two "negations" does not annul the negative meaning of the statement.

cassepipe1y ago

It's true but I don't think this would apply for such a simple statement as in this case else how would you say "One is not none" in spanish ?

2 more replies

b0afc375b51y ago

I guess this is similar to english: "I ain't no snitch", which is a double negative but is equivalent to its single negative counterpart.

mejutoco1y ago

Same in French: "Je ne sais pas" means I do not know, not I do not not know (aka I know).

In any case, the meaning of the sentence above: "uno no es ninguno" in Spanish is clearly one is not zero, or one is not none, or one is different than none.

"Uno no es nada" could be "one is nothing", and "one is not nothing". It all depends on the frame of reference (in this case English), but for this sentence, the "one is not none" is correct IMO. I would never even do a second pass on that sentence, as a native Spanish speaker (appeal to authority, I know)

stirfish1y ago

I like to think of it as additive negatives, as opposed to multiplicative negatives.

mrbluecoat1y ago· 3 in thread

> “Uno no es ninguno” (One is none)

I believe that translates to "One is not none"

https://bughunters.google.com/blog/6303226026131456/a-deep-d...

kmarc1y ago

It doesn't; It translates to "One is none" This is the infamous double negation many foreign speakers (including me) struggles with.

https://spanish.stackexchange.com/questions/26777/how-does-d...

DanielVZ1y ago

Thats the direct translation but for some reason in spanish our double negations are usually just negations.

samatman1y ago

Perhaps we should translate this as "one ain't nothin'".

techwiz1371y ago· 2 in thread

In my country we have a saying. "Porcupine in the pants". Sounds like for all the good it can do, it isn't written safely and carefully.

deskr1y ago

With experience you'll realise that despite things being done safely and carefully, mistakes can and do pop up.

bugtodiffer1y ago

True. There are some nasty bugs in some very well written code.

j / k navigate · click thread line to collapse

65 comments

29 comments · 5 top-level

tptacek1y ago· 7 in thread

In the setting eBPF is used today, most of the value of the verifier is that it's hard to accidentally crash your kernel with a bad eBPF program. That is comically untrue about an ordinary LKM.

chc41y ago

tptacek1y ago

I just want to say that this is a hell of a nerd snipe.

1 more reply

dumpling7771y ago

Let's not forget also that we can give CAP_BPF to containers. With things like Cilium on the rise, the attack vector of landing in container environment that has cap_bpf is more and more realistic

tptacek1y ago

1 more reply

10000truths1y ago

Verifier bugs matter because resolving them is a prerequisite for secure unprivileged use of eBPF.

mort961y ago

Verifier bugs matter for the kernel, which wants eBPF to be secure even for unprivileged accounts.

Verifier bugs don't matter that much, for most Linux users, right now, because unprivileged accounts can't use eBPF.

tptacek1y ago

Put it this way: verifier bugs matter, but people probably don't do unscheduled fleetwide updates to fix them.

katzinsky1y ago· 7 in thread

The one time I tried to use eBPF it wasn't expressive enough for what I needed.

knorker1y ago

There are other technologies for this, such as DTrace. The kernel's choice isn't eBPF or nothing, it's eBPF or something else like it.

In some cases, even for kernel gurus, it's a choice between eBPF or maintaining a custom kernel patch forever.

znpy1y ago

> There are other technologies for this, such as DTrace. The kernel's choice isn't eBPF or nothing, it's eBPF or something else like it.

To add on this point: I successfully used SystemTap a few years ago to debug an issue i was having.

Learning SystemTap is easier in my opinion. I followed a tutorial by RedHat to get the hang of the manual parts but after that I remember being fairly easy:

1. Try to reproduce the issue you're having (fairly easy for me)

2. Skim the source code of the linux about the part that you think might be relevant (for me it was the oom killer)

3. Add probes in there, see if they fire when you reproduce the issue

4. Look back at the source code of the kernel and see what chain of data structures and fields you can follow to reach the piece of information you need

5. Improve your probes

6. If successful, you're done

7. Goto 4

I think it took like one or two days between following the tutorial and getting a working probe.

It was a pleasant couple of days.

fch421y ago

(citrus vs. stone fruit ...)

1 more reply

lynxmachine1y ago

> I've solved problems by using eBPF. Problems that are basically unsolvable by non-kernel-gurus without eBPF. I rarely need it.

Would you mind giving some examples? I recently started learning about ebpf's from Liz Rice's book and is curious about what makes ebpf the correct choice in a particular scenario.

katzinsky1y ago

2 more replies

ssahoo1y ago

Wouldn't even the classic loadable kernel mode driver be a better choice than a patch and eBpf? I know they are unsafe but people who deal with it, know the power comes with responsibility.

tptacek1y ago

TacticalCoder1y ago· 5 in thread

> “Uno no es ninguno” (One is none)

Literally "One not is none", aka "One is not none".

jolmg1y ago

Checking out the Royal Spanish Academy, here's what they say about it:

https://www.rae.es/espanol-al-dia/doble-negacion-no-vino-nad...

> The concurrence of these two "negations" does not annul the negative meaning of the statement.

cassepipe1y ago

It's true but I don't think this would apply for such a simple statement as in this case else how would you say "One is not none" in spanish ?

2 more replies

b0afc375b51y ago

I guess this is similar to english: "I ain't no snitch", which is a double negative but is equivalent to its single negative counterpart.

mejutoco1y ago

Same in French: "Je ne sais pas" means I do not know, not I do not not know (aka I know).

In any case, the meaning of the sentence above: "uno no es ninguno" in Spanish is clearly one is not zero, or one is not none, or one is different than none.

stirfish1y ago

I like to think of it as additive negatives, as opposed to multiplicative negatives.

mrbluecoat1y ago· 3 in thread

> “Uno no es ninguno” (One is none)

I believe that translates to "One is not none"

https://bughunters.google.com/blog/6303226026131456/a-deep-d...

kmarc1y ago

It doesn't; It translates to "One is none" This is the infamous double negation many foreign speakers (including me) struggles with.

https://spanish.stackexchange.com/questions/26777/how-does-d...

DanielVZ1y ago

Thats the direct translation but for some reason in spanish our double negations are usually just negations.

samatman1y ago

Perhaps we should translate this as "one ain't nothin'".

techwiz1371y ago· 2 in thread

In my country we have a saying. "Porcupine in the pants". Sounds like for all the good it can do, it isn't written safely and carefully.

deskr1y ago

With experience you'll realise that despite things being done safely and carefully, mistakes can and do pop up.

bugtodiffer1y ago

True. There are some nasty bugs in some very well written code.

j / k navigate · click thread line to collapse