Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Berkeley Packet Filter (eBPF) is used in the Linux kernel for custom extensions for packet filtering and other operations. Because this is user defined code running the kernel, with only static-analysis for verification, it is a high point for attackers.

The eBPF takes two passes at the data: one to check for loops and the other to check for memory violations. This memory violations area is where attackers like to lurk at.

While attempting to validate the BPF_RSH (unsigned right shift) function, it attempts to edit the dst_reg max/minimum values for writing. This verification process is flawed though! A wrongful value is used for the max/min shifts, allowing for the verification to be bypassed.

Triggering the bug in the eBPF is another thing though... They do mention that to use one of the necessary flags in the eBPF, you need to be an administrative user.

Once this bypass has been done, a user has an arbitrary read/write primitive for the eBPF itself. Using this, further escalation can likely be used to takeover the kernel.