bpftrace 0.20.1: Fix CVE-2024-2313

Upstream Repository: https://github.com/bpftrace/bpftrace.git

Bug Details: https://nvd.nist.gov/vuln/detail/CVE-2024-2313
Type: Security Fix
CVE: CVE-2024-2313
Score: 2.8
Patch: https://github.com/bpftrace/bpftrace/commit/bc73244963f2

Note:
- This CVE was initially addressed via commit 4be4b7191acb [1], which
  added ownership verification for unpacked kernel headers.
- The fix was deemed insufficient and a revised comprehensive fix was
  implemented in commit bc73244963f2 [2], which completely removes the
  risky functionality.
- This patch applies only the revised fix (bc73244963f2) which supersedes
  the initial partial fix.

Reference:
[1] https://github.com/bpftrace/bpftrace/pull/3033
[2] https://github.com/bpftrace/bpftrace/pull/3156

Signed-off-by: Deepak Rathore <deeratho@cisco.com>

2 files changed, 285 insertions, 0 deletions

diff --git a/dynamic-layers/meta-python/recipes-devtools/bpftrace/bpftrace/CVE-2024-2313.patch b/dynamic-layers/meta-python/recipes-devtools/bpftrace/bpftrace/CVE-2024-2313.patch
new file mode 100644
index 0000000..2631fbc
--- /dev/null
+++ b/dynamic-layers/meta-python/recipes-devtools/bpftrace/bpftrace/CVE-2024-2313.patch
@@ -0,0 +1,284 @@
+From 18c07736fd3b87ed797eeab1e0d1fb57fd1db7ac Mon Sep 17 00:00:00 2001
+From: Jordan Rome <jordalgo@meta.com>
+Date: Wed, 15 May 2024 10:21:30 -0600
+Subject: [PATCH] Don't unpack kernel headers or look in tmp (#3156)
+
+Looking in shared writeable locations for kernel
+headers is inherently risky even bpftrace does
+the unpacking. Remove this functionality and let
+the user specify the path to these headers if
+we can't find them in known locations.
+
+References:
+https://github.com/bpftrace/bpftrace/pull/3033
+https://github.com/bpftrace/bpftrace/pull/3154
+
+CVE: CVE-2024-2313
+Upstream-Status: Backport [https://github.com/bpftrace/bpftrace/commit/bc73244963f2]
+
+Backport Changes:
+- src/utils.cpp: file_exists_and_ownedby_root() was not present in
+  current version. Hence, changes are made accordingly.
+- src/main.cpp: Upstream commit uses "/bpftrace/include/" CLANG_WORKAROUNDS_H
+  but current codebase uses CLANG_WORKAROUNDS_H without the path prefix.
+  Changes are made as per current codebase.
+- tests/utils.cpp: Test case changes for file_exists_and_ownedby_root()
+  function are not included as the function itself was not present in
+  current version.
+
+Co-authored-by: Jordan Rome <jordalgo@fedoraproject.org>
+(cherry picked from commit bc73244963f206814ae45ec78ebe52cd389f6381)
+Signed-off-by: Deepak Rathore <deeratho@cisco.com>
+---
+ src/clang_parser.cpp |  2 -
+ src/fuzz_main.cpp    |  2 +-
+ src/main.cpp         | 62 +++++++++++++++-------------
+ src/utils.cpp        | 98 ++++----------------------------------------
+ src/utils.h          |  3 +-
+ 5 files changed, 45 insertions(+), 122 deletions(-)
+
+diff --git a/src/clang_parser.cpp b/src/clang_parser.cpp
+index 2b50e931..667a833f 100644
+--- a/src/clang_parser.cpp
++++ b/src/clang_parser.cpp
+@@ -660,8 +660,6 @@ bool ClangParser::parse(ast::Program *program,
+   StderrSilencer silencer;
+   silencer.silence();
+ #endif
+-  if (program->c_definitions.empty() && bpftrace.btf_set_.empty())
+-    return true;
+
+   input = "#include <__btf_generated_header.h>\n" + program->c_definitions;
+
+diff --git a/src/fuzz_main.cpp b/src/fuzz_main.cpp
+index 35455c03..1d4c4806 100644
+--- a/src/fuzz_main.cpp
++++ b/src/fuzz_main.cpp
+@@ -132,7 +132,7 @@ int fuzz_main(const char* data, size_t sz)
+     struct utsname utsname;
+     uname(&utsname);
+     std::string ksrc, kobj;
+-    auto kdirs = get_kernel_dirs(utsname, !bpftrace.feature_->has_btf());
++    auto kdirs = get_kernel_dirs(utsname);
+     ksrc = std::get<0>(kdirs);
+     kobj = std::get<1>(kdirs);
+
+diff --git a/src/main.cpp b/src/main.cpp
+index c3700d93..831976b9 100644
+--- a/src/main.cpp
++++ b/src/main.cpp
+@@ -405,32 +405,6 @@ static std::optional<struct timespec> get_delta_taitime()
+   if (TracepointFormatParser::parse(driver.root.get(), bpftrace) == false)
+     return nullptr;
+
+-  ClangParser clang;
+-  std::vector<std::string> extra_flags;
+-  {
+-    struct utsname utsname;
+-    uname(&utsname);
+-    std::string ksrc, kobj;
+-    auto kdirs = get_kernel_dirs(utsname);
+-    ksrc = std::get<0>(kdirs);
+-    kobj = std::get<1>(kdirs);
+-
+-    if (ksrc != "")
+-      extra_flags = get_kernel_cflags(
+-          utsname.machine, ksrc, kobj, bpftrace.kconfig);
+-  }
+-  extra_flags.push_back("-include");
+-  extra_flags.push_back(CLANG_WORKAROUNDS_H);
+-
+-  for (auto dir : include_dirs) {
+-    extra_flags.push_back("-I");
+-    extra_flags.push_back(dir);
+-  }
+-  for (auto file : include_files) {
+-    extra_flags.push_back("-include");
+-    extra_flags.push_back(file);
+-  }
+-
+   // NOTE(mmarchini): if there are no C definitions, clang parser won't run to
+   // avoid issues in some versions. Since we're including files in the command
+   // line, we want to force parsing, so we make sure C definitions are not
+@@ -438,8 +412,40 @@ static std::optional<struct timespec> get_delta_taitime()
+   if (!include_files.empty() && driver.root->c_definitions.empty())
+     driver.root->c_definitions = "#define __BPFTRACE_DUMMY__";
+
+-  if (!clang.parse(driver.root.get(), bpftrace, extra_flags))
+-    return nullptr;
++  bool should_clang_parse = !(driver.root.get()->c_definitions.empty() &&
++                              bpftrace.btf_set_.empty());
++
++  if (should_clang_parse) {
++    ClangParser clang;
++    std::vector<std::string> extra_flags;
++    {
++      struct utsname utsname;
++      uname(&utsname);
++      std::string ksrc, kobj;
++      auto kdirs = get_kernel_dirs(utsname);
++      ksrc = std::get<0>(kdirs);
++      kobj = std::get<1>(kdirs);
++
++      if (ksrc != "") {
++        extra_flags = get_kernel_cflags(
++            utsname.machine, ksrc, kobj, bpftrace.kconfig);
++      }
++    }
++    extra_flags.push_back("-include");
++    extra_flags.push_back(CLANG_WORKAROUNDS_H);
++
++    for (auto dir : include_dirs) {
++      extra_flags.push_back("-I");
++      extra_flags.push_back(dir);
++    }
++    for (auto file : include_files) {
++      extra_flags.push_back("-include");
++      extra_flags.push_back(file);
++    }
++
++    if (!clang.parse(driver.root.get(), bpftrace, extra_flags))
++      return nullptr;
++  }
+
+   err = driver.parse();
+   if (err)
+diff --git a/src/utils.cpp b/src/utils.cpp
+index 0a3af640..4844780c 100644
+--- a/src/utils.cpp
++++ b/src/utils.cpp
+@@ -683,88 +683,6 @@ bool is_dir(const std::string &path)
+   return std_filesystem::is_directory(buf, ec);
+ }
+
+-namespace {
+-struct KernelHeaderTmpDir {
+-  KernelHeaderTmpDir(const std::string &prefix) : path{ prefix + "XXXXXX" }
+-  {
+-    if (::mkdtemp(&path[0]) == nullptr) {
+-      throw std::runtime_error(
+-          "creating temporary path for kheaders.tar.xz failed");
+-    }
+-  }
+-
+-  ~KernelHeaderTmpDir()
+-  {
+-    if (path.size() > 0) {
+-      // move_to either did not succeed or did not run, so clean up after
+-      // ourselves
+-      exec_system(("rm -rf " + path).c_str());
+-    }
+-  }
+-
+-  void move_to(const std::string &new_path)
+-  {
+-    int err = ::rename(path.c_str(), new_path.c_str());
+-    if (err == 0) {
+-      path = "";
+-    }
+-  }
+-
+-  std::string path;
+-};
+-
+-std::string unpack_kheaders_tar_xz(const struct utsname &utsname)
+-{
+-  std::error_code ec;
+-#if defined(__ANDROID__)
+-  std_filesystem::path path_prefix{ "/data/local/tmp" };
+-#else
+-  std_filesystem::path path_prefix{ "/tmp" };
+-#endif
+-  std_filesystem::path path_kheaders{ "/sys/kernel/kheaders.tar.xz" };
+-  if (const char *tmpdir = ::getenv("TMPDIR")) {
+-    path_prefix = tmpdir;
+-  }
+-  path_prefix /= "kheaders-";
+-  std_filesystem::path shared_path{ path_prefix.string() + utsname.release };
+-
+-  if (std_filesystem::exists(shared_path, ec)) {
+-    // already unpacked
+-    return shared_path.string();
+-  }
+-
+-  if (!std_filesystem::exists(path_kheaders, ec)) {
+-    StderrSilencer silencer;
+-    silencer.silence();
+-
+-    FILE *modprobe = ::popen("modprobe kheaders", "w");
+-    if (modprobe == nullptr || pclose(modprobe) != 0) {
+-      return "";
+-    }
+-
+-    if (!std_filesystem::exists(path_kheaders, ec)) {
+-      return "";
+-    }
+-  }
+-
+-  KernelHeaderTmpDir tmpdir{ path_prefix };
+-
+-  FILE *tar = ::popen(
+-      ("tar xf /sys/kernel/kheaders.tar.xz -C " + tmpdir.path).c_str(), "w");
+-  if (!tar) {
+-    return "";
+-  }
+-
+-  int rc = ::pclose(tar);
+-  if (rc == 0) {
+-    tmpdir.move_to(shared_path);
+-    return shared_path;
+-  }
+-
+-  return "";
+-}
+-} // namespace
+-
+ // get_kernel_dirs returns {ksrc, kobj} - directories for pristine and
+ // generated kernel sources.
+ //
+@@ -783,8 +701,7 @@ std::string unpack_kheaders_tar_xz(const struct utsname &utsname)
+ // Both ksrc and kobj are guaranteed to be != "", if at least some trace of
+ // kernel sources was found.
+ std::tuple<std::string, std::string> get_kernel_dirs(
+-    const struct utsname &utsname,
+-    bool unpack_kheaders)
++    const struct utsname &utsname)
+ {
+ #ifdef KERNEL_HEADERS_DIR
+   return { KERNEL_HEADERS_DIR, KERNEL_HEADERS_DIR };
+@@ -812,11 +729,14 @@ std::tuple<std::string, std::string> get_kernel_dirs(
+     kobj = "";
+   }
+   if (ksrc.empty() && kobj.empty()) {
+-    if (unpack_kheaders) {
+-      const auto kheaders_tar_xz_path = unpack_kheaders_tar_xz(utsname);
+-      if (kheaders_tar_xz_path.size() > 0)
+-        return std::make_tuple(kheaders_tar_xz_path, kheaders_tar_xz_path);
+-    }
++    LOG(WARNING) << "Could not find kernel headers in " << ksrc << " or "
++                 << kobj
++                 << ". To specify a particular path to kernel headers, set the "
++                    "env variables BPFTRACE_KERNEL_SOURCE and, optionally, "
++                    "BPFTRACE_KERNEL_BUILD if the kernel was built in a "
++                    "different directory than its source. To create kernel "
++                    "headers run 'modprobe kheaders', which will create a tar "
++                    "file at /sys/kernel/kheaders.tar.xz";
+     return std::make_tuple("", "");
+   }
+   if (ksrc.empty()) {
+diff --git a/src/utils.h b/src/utils.h
+index 25dfa44b..9fa478fc 100644
+--- a/src/utils.h
++++ b/src/utils.h
+@@ -175,8 +175,7 @@ std::vector<int> get_online_cpus();
+ std::vector<int> get_possible_cpus();
+ bool is_dir(const std::string &path);
+ std::tuple<std::string, std::string> get_kernel_dirs(
+-    const struct utsname &utsname,
+-    bool unpack_kheaders = true);
++    const struct utsname &utsname);
+ std::vector<std::string> get_kernel_cflags(const char *uname_machine,
+                                            const std::string &ksrc,
+                                            const std::string &kobj,
+--
+2.44.1
diff --git a/dynamic-layers/meta-python/recipes-devtools/bpftrace/bpftrace_0.20.1.bb b/dynamic-layers/meta-python/recipes-devtools/bpftrace/bpftrace_0.20.1.bb
index f0c29f4..37bf553 100644
--- a/dynamic-layers/meta-python/recipes-devtools/bpftrace/bpftrace_0.20.1.bb
+++ b/dynamic-layers/meta-python/recipes-devtools/bpftrace/bpftrace_0.20.1.bb
@@ -26,6 +26,7 @@ SRC_URI = "git://github.com/iovisor/bpftrace;branch=master;protocol=https \
            file://0001-use-64bit-alignment-for-map-counter-atomic-add.patch \
            file://run-ptest \
            file://0001-CMakeLists.txt-allow-to-set-BISON_FLAGS-like-l.patch \
+           file://CVE-2024-2313.patch \
 "
 SRCREV = "fe6362b4e2c1b9d0833c7d3f308c1d4006b54723"