tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: BPF64: proposal of platform-independent hardware-friendly backwards-compatible eBPF alternative



On Wed, 11 Sep 2024 10:14:44 +0800
Philip Paeps <philip%trouble.is@localhost> wrote:

> On 2024-09-11 06:12:28 (+0800), Vadim Goncharov wrote:
> > David Chisnall <theraven%FreeBSD.org@localhost> wrote:  
> >> BPF can be loaded only by root, who can also load kernel modules
> >> and map /dev/[k]mem, and FreeBSD does not protect the root <->
> >> kernel boundary.  
> >
> > Wrong. It is possible for decades to do `chmod a+r /dev/bpf*` and
> > run tcpdump as non-root, which will load BPF code into kernel. Is
> > *that* also a vulnerability, and if so, why it was never reported?  
> 
> This is equivalent to chmod a+w /dev/mem.
> 
> Unwise configuration decisions are not vulnerabilities.

But then a possibility to give this to non-root is. And many things are
considered vulnerabilitites even if they are only available to root -
for example, when root can be tricked into running malicious code etc.
(unconscious) actions without direct intention.

Equivalency of classic BPF to writable /dev/mem is too loud and
controversial statement. Demonstrate how it can be done on stock
FreeBSD 13 with /dev/bpf available to attacker (e.g. `sudo tcpdump`
allowed).

-- 
WBR, @nuclight


Home | Main Index | Thread Index | Old Index