Buzzer is a fuzzer toolchain that allows to write eBPF fuzzing strategies.
A Fuzzing strategy is a way to generate random eBPF Programs and then validate that they don't have unexpected behaviour.
To run the fuzzer follow the next steps
-
Install bazel.
-
Install clang
-
Setup the correct CC and CXX env variables
export CC=clang export CXX=clang++
-
Run
bazel build :buzzer
-
Run buzzer either as root:
sudo ./bazel-bin/buzzer_/buzzer
OR with CAP_BPF:
sudo setcap CAP_BPF=eip bazel-bin/buzzer_/buzzer ./bazel-bin/buzzer_/buzzer
Did you find a cool bug using Buzzer? Let us know via a pull request! We'd like to collect all issues discovered with this framework under this section.
-
CVE-2023-2163: An error in the branch pruning logic of the eBPF verifier can cause unsafe paths to not be explored. The unsafe pruned paths are the actual paths taken at runtime which causes a mismatch in what the verifier thinks the values of certain registers are versus what they actually are. This mismatch can be abused to read/write arbitrary memory in the kernel by using the confused registers as base registers for memory operations.
-
CVE-2024-41003: A bug in the verifier's register limit tracking allows an attacker to trick the verifier into thinking a register holds a value of 0 when at run time this register could take a value of 1. This can be then leveraged to achieve arbitrary kernel memory read/write and lead to a local privilege escalation or container escape.