Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Potential security issues found by fuzzing #4010

Open
44 tasks
shankarseal opened this issue Nov 13, 2024 · 0 comments · May be fixed by #3989
Open
44 tasks

Potential security issues found by fuzzing #4010

shankarseal opened this issue Nov 13, 2024 · 0 comments · May be fixed by #3989

Comments

@shankarseal
Copy link
Collaborator

Sometime back, a through security review was conducted on the eBPF code base; along with running fuzz testing that unearthed quite a few bugs that could have potential security implications. Here are the list of issues that are copied from the titles of ADO tasks in an internal project. The line numbers of the source could be off as these are dated information.

  • AddressSanitizer: heap-buffer-overflow D:\a\1\s\libs\execution_context\ebpf_program.c:1966 in ebpf_program_get_info
  • Heap Buffer Overflow in ebpf_program_get_info() (ebpf_program.c:1870)
  • Heap Buffer Overflow in ebpf_program_get_info() (ebpf_program.c:1870)
  • Arbitrary write -- ebpf_program_get_info (ebpf_program.c:1888)
  • Controlled Allocation -- ebpf_maps.c :3.
  • Access Violation -- libs\execution_context\ebpf_program.c:1511 in _ebpf_program_get_helper_function_address
  • Divide by Zero -- libs\execution_context\ebpf_core.c: in _ebpf_core_protocol_map_delete_element_batch
  • Access Violation -- external\ubpf\vm\ubpf_vm.c:289 in ubpf_exec
  • Heap Buffer Overflow -- libs\runtime\ebpf_hash_table.c:138 in _ebpf_murmur3_32
  • Access Violation -- libs\execution_context\ebpf_program.c:1483 in _ebpf_program_get_helper_function_address
  • Use After Free -- libs\execution_context\ebpf_core.c:1178 in _ebpf_core_protocol_program_test_run_complete
  • Heap Buffer Overflow -- libs\runtime\ebpf_hash_table.c:122 in _ebpf_murmur3_32
  • Heap Buffer Overflow -- ebpf-for-windows\netebpfext\net_ebpf_ext_bind.c:223 in _net_ebpf_ext_resource_truncate_appid
  • fake crash site
  • AddressSanitizer: heap-buffer-overflow D:\a\1\s\external\ubpf\vm\ubpf_vm.c:197 in ubpf_load
  • AddressSanitizer: access-violation D:\a\1\s\libs\execution_context\ebpf_maps.c:1678 in _next_lpm_map_key_and_value
  • AddressSanitizer: access-violation on unknown address 0xffffffffffffffff (pc 0x7ff74525e5 bp 0x12bd5... [57364FF1]
  • Heap Buffer Overflow (read)ebpf_program_get_info (ebpf_program.c:1870)
  • Arbitrary write -- ebpf_program_get_info (ebpf_program.c:1888)
  • Controlled Allocation -- bpf_maps.c :3.
  • Access Violation -- libs\execution_context\ebpf_program.c:1511 in _ebpf_program_get_helper_function_address
  • Divide by Zero -- libs\execution_context\ebpf_core.c: in _ebpf_core_protocol_map_delete_element_batch
  • Heap Buffer Overflow -- libs\runtime\ebpf_hash_table.c:138 in _ebpf_murmur3_32
  • Access Violation -- libs\execution_context\ebpf_program.c:1483 in _ebpf_program_get_helper_function_address
  • Use After Free -- libs\execution_context\ebpf_core.c:1178 in _ebpf_core_protocol_program_test_run_complete
  • Heap Buffer Overflow -- libs\runtime\ebpf_hash_table.c:122 in _ebpf_murmur3_32
  • Heap Buffer Overflow -- netebpfext\net_ebpf_ext_bind.c:223 in _net_ebpf_ext_resource_truncate_appid Security
  • AddressSanitizer: heap-buffer-overflow D:\a\1\s\libs\execution_context\ebpf_program.c:1966 in ebpf_program_get_info
  • AddressSanitizer: heap-buffer-overflow D:\a\1\s\libs\execution_context\ebpf_program.c:1967 in ebpf_program_get_info
  • AddressSanitizer: int-divide-by-zero D:\a\1\s\libs\execution_context\ebpf_core.c: in _ebpf_core_pr... [3E8AFE]
  • libFuzzer: out-of-memory
  • AddressSanitizer: heap-buffer-overflow D:\a\1\s\libs\execution_context\ebpf_program.c:1923 in ebpf_program_get_info
  • AddressSanitizer: heap-buffer-overflow D:\a\1\s\libs\execution_context\ebpf_program.c:1922 in ebpf_program_get_info
  • AddressSanitizer: int-divide-by-zero D:\a\1\s\libs\execution_context\ebpf_core.c:1021 in _ebpf_core_pr... [865938E3]
  • AddressSanitizer: heap-buffer-overflow D:\a\1\s\libs\execution_context\ebpf_program.c:1976 in ebpf_program_get_info
  • AddressSanitizer: heap-buffer-overflow D:\a\1\s\libs\execution_context\ebpf_program.c:1977 in ebpf_program_get_info
  • AddressSanitizer: int-divide-by-zero D:\a\1\s\libs\execution_context\ebpf_core.c:1005 in _ebpf_core_pr... [BB894F3F]
  • libFuzzer: deadly signal
  • Possible null pointer deref in _ebpf_program_get_helper_function_address
  • Lack of code_type validation in ebpf_program.c
  • Potential out of bound writes on ebpf_map_definition.type parameter in ebpf_maps.c
  • Potential heap buffer-over read in _net_ebpf_ext_resource_truncate_appid()
  • AddressSanitizer: heap-buffer-overflow D:\a\1\s\libs\execution_context\ebpf_program.c:21 in ebpf_program_get_info New
  • AddressSanitizer: heap-buffer-overflow D:\a\1\s\libs\execution_context\ebpf_program.c:22 in ebpf_program_get_info New
@shankarseal shankarseal linked a pull request Nov 13, 2024 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fuzzing bug fixes shankarseal/ebpf-for-windows
1 participant
@shankarseal