Date: Wed, 11 Sep 2024 12:05:18 +0300 From: Vadim Goncharov <vadimnuclight@gmail.com> To: Philip Paeps <philip@trouble.is> Cc: David Chisnall <theraven@FreeBSD.org>, Poul-Henning Kamp <phk@phk.freebsd.dk>, freebsd-arch@FreeBSD.org, freebsd-hackers@FreeBSD.org, freebsd-net@FreeBSD.org, tech-net@NetBSD.org Subject: Re: BPF64: proposal of platform-independent hardware-friendly backwards-compatible eBPF alternative Message-ID: <20240911120518.1ba191b5@nuclight.lan> In-Reply-To: <AAF2B340-CB69-470D-B60C-42A4B7C23325@trouble.is> References: <20240910040544.125245ad@nuclight.lan> <202409100638.48A6cor2090591@critter.freebsd.dk> <20240910144557.4d95052a@nuclight.lan> <4D84AF55-51C7-4C2B-94F7-D486A29E8821@FreeBSD.org> <20240910164447.30039291@nuclight.lan> <3F3533E4-6059-4B4F-825F-6995745FDE35@FreeBSD.org> <20240911011228.161f94db@nuclight.lan> <AAF2B340-CB69-470D-B60C-42A4B7C23325@trouble.is>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 11 Sep 2024 10:14:44 +0800 Philip Paeps <philip@trouble.is> wrote: > On 2024-09-11 06:12:28 (+0800), Vadim Goncharov wrote: > > David Chisnall <theraven@FreeBSD.org> wrote: > >> BPF can be loaded only by root, who can also load kernel modules > >> and map /dev/[k]mem, and FreeBSD does not protect the root <-> > >> kernel boundary. > > > > Wrong. It is possible for decades to do `chmod a+r /dev/bpf*` and > > run tcpdump as non-root, which will load BPF code into kernel. Is > > *that* also a vulnerability, and if so, why it was never reported? > > This is equivalent to chmod a+w /dev/mem. > > Unwise configuration decisions are not vulnerabilities. But then a possibility to give this to non-root is. And many things are considered vulnerabilitites even if they are only available to root - for example, when root can be tricked into running malicious code etc. (unconscious) actions without direct intention. Equivalency of classic BPF to writable /dev/mem is too loud and controversial statement. Demonstrate how it can be done on stock FreeBSD 13 with /dev/bpf available to attacker (e.g. `sudo tcpdump` allowed). -- WBR, @nuclight
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20240911120518.1ba191b5>