If kernel headers are not installed in the usual place, the BPF tools try to look them up in /tmp/kheaders-$(uname -r)/, even when this directory is owned by another user.
This can be exploited for denial of service, or likely something worse.
To reproduce, run this as a normal user:
$ mkdir /tmp/kheaders-$(uname -r)/ $ mkdir -p /tmp/kheaders-$(uname -r)/include/linux/ $ echo "#error this header is malicious" > /tmp/kheaders-$(uname -r)/include/linux/kconfig.h
Then run this as root:
# opensnoop-bpfcc In file included from <built-in>:1: ././include/linux/kconfig.h:1:2: error: this header is malicious #error this header is malicious ^ In file included from <built-in>:2: /virtual/include/bcc/bpf.h:12:10: fatal error: 'linux/types.h' file not found #include <linux/types.h> ^~~~~~~~~~~~~~~ 2 errors generated. Traceback (most recent call last): File "/usr/sbin/opensnoop-bpfcc", line 261, in <module> b = BPF(text='') ^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/bcc/__init__.py", line 476, in __init__ raise Exception("Failed to compile BPF module %s" % (src_file or "<text>")) Exception: Failed to compile BPF module <text>
Fix the path to deadlock.c used in deadlock-bpfcc Move the deadlock.c from /usr/sbin/ to /usr/share/bpfcc-tools/ and update the python script to use it from this path
Fix the path of netqtop.c on Debian systems On Debian system we install the netqtop.c to /usr/share/bpfcc-tools folder adjust the path in utility to match this.
