Pentera Labs examined Linux eBPF, a subsystem for network traffic analysis, showing how flaws in its verifier and helpers can enable privilege escalation. Researchers exploited improper input validation in OR_NULL pointers to trick the verifier, then bypassed ALU sanitation and used BPF helpers to perform out-of-bounds reads and writes. By manipulating kernel heap allocations and exploiting freelist randomization, they achieved arbitrary read/write, allowing overwriting of process credentials for root access. Mitigation includes setting `unprivileged_bpf_disabled=1`, extending ALU sanitation to helpers, and continuous validation to detect risks in eBPF.

Join for free to read