Resources
People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!
An Incorrect Bounds Calculation in the Linux Kernel eBPF Verifier
Lucas Leong - ZDIPosted 4 Years Ago- The extended Berkeley Packet Filter (eBPF) is a revolutionary technology that can run sandboxed programs in the Linux kernel without changing kernel source code or loading a kernel module. Because this code is ran in the kernel, finding a vulnerability in this can allow for kernel code execution.
- The eBPF verifier added new functionality for 32-bit bound tracking. This restriction is added to call of the registers that it is taking care of and verifying. However, there is a bug in the tracking: the function uses known bounds on a 64-bit register to infer bounds for the register’s lower 32 bits.
- This bounds check is not proper, which results in bad logic happening on unsigned values because of a logic bug. Instead of verifying that BOTH the maximum and minimum are within the bounds prior to setting the values, it only checks them one by one.
- "For example, consider what happens if a register has umin_value = 1 and umax_value = 1<<32. data-preserve-html-node="true" At (2), the verifier will set u32_min_value to 1. At runtime, the register’s actual value can be 1<<32, data-preserve-html-node="true" making the lower 32 bits equal to 0. This violates the correctness of the register’s bounds, which indicate that the minimum value of the lower 32 bits is 1."
- Using a bug in the eBPF, the common exploit method is to get an OOB read and OOB write. From there, compromising the kernel is considering a trivial task.
