Security vulnerabilities and automated fixes for bpf issues
2 posts found
A high-severity buffer over-read vulnerability was discovered in `bpf/sslsniff.c` at line 515, where `memmove()` was called with a size derived from an unbounded `strlen()` on a pointer computed by searching within a fixed-size path buffer. An attacker able to influence `/proc` filesystem entries or `ldconfig` output could have triggered out-of-bounds memory reads or writes. The fix replaces the unsafe `strlen()` call with a bounds-aware `strnlen()` that constrains the operation to the remaining
A critical buffer overflow vulnerability (CWE-120) was discovered and patched in `module/x86/bpf_x86_native_lab.c`, where a bounds check on BPF blob length was only performed inside an `emit` conditional branch — leaving a window for kernel memory corruption when `emit` was false. The fix relocates the length validation before any branching logic, ensuring no code path can proceed with an oversized blob. This type of kernel-level vulnerability is particularly dangerous because successful exploit