tags:ebpflinuxlpekernel original link: How we found and fixed an eBPF Linux Kernel Vulnerability newsletter link: exploits.club Weekly Newsletter 34 - V8 Confusions, Smart Speaker Spying, Summer Camp Round-Up, And More


Exploits Club Summary:

The security engineering team at Google released a blog this week detailing how they found and fixed CVE-2023-2163, an eBPF verifier bug resulting from incorrect pruning. The post starts with a bit of context, explaining the background behind eBPF, and why it has been an attractive target for researchers (Look no further than EC 30, where we covered CVE-2024-41003). The write-up then quickly touches on the creation of Buzzer-the-fuzzer, before taking a look at how eBPF path pruning actually works. This gets us to the team’s RCA of the fuzzer bug, which results from the incorrect preciseness assumption. The post then goes into exploitaiton, explaining how to take the register which is assumed to be 0 and leverage it to overflow the stack, obtain arbitrary R/W, leak the eBPF map, and defeat KASLR. They also include a full exploit PoC.