tech-net archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: BPF64: proposal of platform-independent hardware-friendly backwards-compatible eBPF alternative
On Wed, 11 Sep 2024 10:14:44 +0800
Philip Paeps <philip%trouble.is@localhost> wrote:
> On 2024-09-11 06:12:28 (+0800), Vadim Goncharov wrote:
> > David Chisnall <theraven%FreeBSD.org@localhost> wrote:
> >> BPF can be loaded only by root, who can also load kernel modules
> >> and map /dev/[k]mem, and FreeBSD does not protect the root <->
> >> kernel boundary.
> >
> > Wrong. It is possible for decades to do `chmod a+r /dev/bpf*` and
> > run tcpdump as non-root, which will load BPF code into kernel. Is
> > *that* also a vulnerability, and if so, why it was never reported?
>
> This is equivalent to chmod a+w /dev/mem.
>
> Unwise configuration decisions are not vulnerabilities.
But then a possibility to give this to non-root is. And many things are
considered vulnerabilitites even if they are only available to root -
for example, when root can be tricked into running malicious code etc.
(unconscious) actions without direct intention.
Equivalency of classic BPF to writable /dev/mem is too loud and
controversial statement. Demonstrate how it can be done on stock
FreeBSD 13 with /dev/bpf available to attacker (e.g. `sudo tcpdump`
allowed).
--
WBR, @nuclight
Home |
Main Index |
Thread Index |
Old Index