Security: BPF C code injection via CLI args + world-writable /var/tmp/bcc

[SleuthCo]

Summary

A security audit found two vulnerabilities in BCC:

1. BPF C Code Injection (High Severity)

43 Python tools accept CLI arguments (PIDs, TIDs, UIDs, signal numbers) as unvalidated strings and interpolate them directly into BPF C source code via bpf_text.replace(). A local attacker can inject arbitrary C code into kernel BPF programs.

Example:

# Injects C code into the BPF program loaded into the kernel
sudo tcptop.py -p "1234; } malicious(); if (0"

Affected tools: tcptop, tcpconnlat, tcplife, tcpaccept, capable, cpudist, statsnoop, filelife, filegone, compactsnoop, vfsstat, ext4dist, shmsnoop, sofdsnoop, numasched, klockstat, opensnoop, drsnoop, tcpconnect, bindsnoop, nfsslower, xfsslower, zfsslower, ext4slower, btrfsslower, f2fsslower, execsnoop, killsnoop, ttysnoop, and 14 tools in tools/old/.

2. World-Writable Directory Permissions (Medium Severity)

src/cc/bpf_module.cc creates /var/tmp/bcc/ and subdirectories with mode 0777. A local attacker can plant symlinks to overwrite arbitrary root-owned files when BCC writes cached program sources.

Proposed Fix

We have a complete fix with tests at: https://github.com/SleuthCo/bcc/pull/2

Changes:

• Add type=int to all vulnerable argparse arguments (43 tools) so non-numeric input is rejected at parse time
• Add shared validators (positive_int, positive_nonzero_int, positive_int_list) to bcc.utils
• Change mkdir() mode from 0777 to 0700
• Add O_NOFOLLOW to open() calls and check write() return values
• ~80 test cases covering injection payload rejection
• SECURITY.md advisory

We would like to submit this as a proper PR once we can fork this repository. In the meantime, the full changeset is available for review at the link above.