diff options
| author | Divya Chellam <divya.chellam@windriver.com> | 2025-04-08 04:45:25 +0000 |
|---|---|---|
| committer | Khem Raj <raj.khem@gmail.com> | 2025-04-10 17:55:17 -0700 |
| commit | 8a1d0a1993040ab9d2fb7259b71e4c9582f5cd17 (patch) | |
| tree | 82060d65478ad391d27873d58119a6f7e9eaf7f2 | |
| parent | 0356fab9b788e6071471f82743964aec1775cd71 (diff) | |
| download | meta-clang-8a1d0a1993040ab9d2fb7259b71e4c9582f5cd17.tar.gz | |
bcc: fix CVE-2024-2314kirkstone
If kernel headers need to be extracted, bcc will attempt to load them
from a temporary directory. An unprivileged attacker could use this to
force bcc to load compromised linux headers. Linux distributions which
provide kernel headers by default are not affected by default.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2024-2314
Upstream-patch:
https://github.com/iovisor/bcc/commit/008ea09e891194c072f2a9305a3c872a241dc342
Signed-off-by: Divya Chellam <divya.chellam@windriver.com>
| -rw-r--r-- | dynamic-layers/openembedded-layer/recipes-devtools/bcc/bcc/CVE-2024-2314.patch | 72 | ||||
| -rw-r--r-- | dynamic-layers/openembedded-layer/recipes-devtools/bcc/bcc_0.24.0.bb | 1 |
2 files changed, 73 insertions, 0 deletions
diff --git a/dynamic-layers/openembedded-layer/recipes-devtools/bcc/bcc/CVE-2024-2314.patch b/dynamic-layers/openembedded-layer/recipes-devtools/bcc/bcc/CVE-2024-2314.patch new file mode 100644 index 0000000..cde67b3 --- /dev/null +++ b/dynamic-layers/openembedded-layer/recipes-devtools/bcc/bcc/CVE-2024-2314.patch | |||
| @@ -0,0 +1,72 @@ | |||
| 1 | From 008ea09e891194c072f2a9305a3c872a241dc342 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Brendan Gregg <brendan@intel.com> | ||
| 3 | Date: Thu, 7 Mar 2024 05:27:14 +1100 | ||
| 4 | Subject: [PATCH] clang: check header ownership (#4928) | ||
| 5 | |||
| 6 | Example testing with a brendan-owned /tmp/kheaders file (note the "ERROR:" message): | ||
| 7 | |||
| 8 | ~/bcc/build$ sudo /usr/share/bcc/tools/biosnoop | ||
| 9 | ERROR: header file ownership unexpected: /tmp/kheaders-5.15.47-internal | ||
| 10 | <built-in>:1:10: fatal error: './include/linux/kconfig.h' file not found | ||
| 11 | ^~~~~~~~~~~~~~~~~~~~~~~~~~~ | ||
| 12 | 1 error generated. | ||
| 13 | Traceback (most recent call last): | ||
| 14 | File "/usr/share/bcc/tools/biosnoop", line 335, in <module> | ||
| 15 | b = BPF(text=bpf_text) | ||
| 16 | File "/usr/lib/python3/dist-packages/bcc-0.1.5+6cd27218-py3.10.egg/bcc/__init__.py", line 479, in __init__ | ||
| 17 | Exception: Failed to compile BPF module <text> | ||
| 18 | ~/bcc/build$ ls -lhd /tmp/kheaders-5.15.47-internal | ||
| 19 | drwxrwxr-x 2 brendan dev 4.0K Mar 6 02:50 /tmp/kheaders-5.15.47-internal | ||
| 20 | |||
| 21 | No error when chown'd back to root. | ||
| 22 | |||
| 23 | CVE: CVE-2024-2314 | ||
| 24 | |||
| 25 | Upstream-Status: Backport [https://github.com/iovisor/bcc/commit/008ea09e891194c072f2a9305a3c872a241dc342] | ||
| 26 | |||
| 27 | Signed-off-by: Divya Chellam <divya.chellam@windriver.com> | ||
| 28 | --- | ||
| 29 | src/cc/frontends/clang/kbuild_helper.cc | 15 +++++++++++---- | ||
| 30 | 1 file changed, 11 insertions(+), 4 deletions(-) | ||
| 31 | |||
| 32 | diff --git a/src/cc/frontends/clang/kbuild_helper.cc b/src/cc/frontends/clang/kbuild_helper.cc | ||
| 33 | index 5c57c13e..d13be427 100644 | ||
| 34 | --- a/src/cc/frontends/clang/kbuild_helper.cc | ||
| 35 | +++ b/src/cc/frontends/clang/kbuild_helper.cc | ||
| 36 | @@ -136,15 +136,22 @@ int KBuildHelper::get_flags(const char *uname_machine, vector<string> *cflags) { | ||
| 37 | return 0; | ||
| 38 | } | ||
| 39 | |||
| 40 | -static inline int file_exists(const char *f) | ||
| 41 | +static inline int file_exists_and_ownedby(const char *f, uid_t uid) | ||
| 42 | { | ||
| 43 | struct stat buffer; | ||
| 44 | - return (stat(f, &buffer) == 0); | ||
| 45 | + int ret; | ||
| 46 | + if ((ret = stat(f, &buffer)) == 0) { | ||
| 47 | + if (buffer.st_uid != uid) { | ||
| 48 | + std::cout << "ERROR: header file ownership unexpected: " << std::string(f) << "\n"; | ||
| 49 | + return -1; | ||
| 50 | + } | ||
| 51 | + } | ||
| 52 | + return ret; | ||
| 53 | } | ||
| 54 | |||
| 55 | static inline int proc_kheaders_exists(void) | ||
| 56 | { | ||
| 57 | - return file_exists(PROC_KHEADERS_PATH); | ||
| 58 | + return file_exists_and_ownedby(PROC_KHEADERS_PATH, 0); | ||
| 59 | } | ||
| 60 | |||
| 61 | static inline int extract_kheaders(const std::string &dirpath, | ||
| 62 | @@ -210,7 +217,7 @@ int get_proc_kheaders(std::string &dirpath) | ||
| 63 | snprintf(dirpath_tmp, 256, "/tmp/kheaders-%s", uname_data.release); | ||
| 64 | dirpath = std::string(dirpath_tmp); | ||
| 65 | |||
| 66 | - if (file_exists(dirpath_tmp)) | ||
| 67 | + if (file_exists_and_ownedby(dirpath_tmp, 0)) | ||
| 68 | return 0; | ||
| 69 | |||
| 70 | // First time so extract it | ||
| 71 | -- | ||
| 72 | 2.40.0 | ||
diff --git a/dynamic-layers/openembedded-layer/recipes-devtools/bcc/bcc_0.24.0.bb b/dynamic-layers/openembedded-layer/recipes-devtools/bcc/bcc_0.24.0.bb index b24e153..a3ceddb 100644 --- a/dynamic-layers/openembedded-layer/recipes-devtools/bcc/bcc_0.24.0.bb +++ b/dynamic-layers/openembedded-layer/recipes-devtools/bcc/bcc_0.24.0.bb | |||
| @@ -29,6 +29,7 @@ SRC_URI = "gitsm://github.com/iovisor/bcc;branch=master;protocol=https \ | |||
| 29 | file://0001-Vendor-just-enough-extra-headers-to-allow-libbpf-to-.patch \ | 29 | file://0001-Vendor-just-enough-extra-headers-to-allow-libbpf-to-.patch \ |
| 30 | file://run-ptest \ | 30 | file://run-ptest \ |
| 31 | file://ptest_wrapper.sh \ | 31 | file://ptest_wrapper.sh \ |
| 32 | file://CVE-2024-2314.patch \ | ||
| 32 | " | 33 | " |
| 33 | 34 | ||
| 34 | SRCREV = "8f40d6f57a8d94e7aee74ce358572d34d31b4ed4" | 35 | SRCREV = "8f40d6f57a8d94e7aee74ce358572d34d31b4ed4" |