{"id":51325916,"url":"https://github.com/sroman0/explotability_analysis_ebpf","last_synced_at":"2026-07-01T18:03:52.577Z","repository":{"id":366194879,"uuid":"1275405318","full_name":"sroman0/explotability_analysis_ebpf","owner":"sroman0","description":"Exploitability analysis of Linux eBPF verifier CVEs, including PoCs, exploit primitives, and a Buildroot/QEMU test environment for kernel vulnerability research and LPE studies.","archived":false,"fork":false,"pushed_at":"2026-06-20T17:05:45.000Z","size":4014,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-06-20T18:22:53.365Z","etag":null,"topics":["bpf-verifier","buildroot","cve-analysis","cybersecurity","dos","ebpf","exploit-development","information-leakage","kernel-security","linux-kernel","poc","privilege-escalation","qemu","security-research","vulnerability-research"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sroman0.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-06-20T16:39:51.000Z","updated_at":"2026-06-20T17:06:04.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/sroman0/explotability_analysis_ebpf","commit_stats":null,"previous_names":["sroman0/explotability_analysis_ebpf"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/sroman0/explotability_analysis_ebpf","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sroman0%2Fexplotability_analysis_ebpf","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sroman0%2Fexplotability_analysis_ebpf/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sroman0%2Fexplotability_analysis_ebpf/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sroman0%2Fexplotability_analysis_ebpf/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sroman0","download_url":"https://codeload.github.com/sroman0/explotability_analysis_ebpf/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sroman0%2Fexplotability_analysis_ebpf/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":35017092,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-07-01T02:00:05.325Z","response_time":130,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bpf-verifier","buildroot","cve-analysis","cybersecurity","dos","ebpf","exploit-development","information-leakage","kernel-security","linux-kernel","poc","privilege-escalation","qemu","security-research","vulnerability-research"],"created_at":"2026-07-01T18:03:51.754Z","updated_at":"2026-07-01T18:03:52.564Z","avatar_url":"https://github.com/sroman0.png","language":"C","funding_links":[],"categories":[],"sub_categories":[],"readme":"# eBPF Verifier Exploit Research — s344024 Romano Simone\n\nResearch project for the Security Verification and Testing (SVT) course —\nanalysis and exploit development for eBPF verifier vulnerabilities in the Linux kernel.\n\nThe primary focus is identifying unpatched or unexploited CVEs in `kernel/bpf/verifier.c`,\nwriting proofs of concept, and developing memory read/write primitives suitable for\nLocal Privilege Escalation (LPE).\n\n---\n\n## Project Structure\n\n```\ns344024_Romano_Simone/\n│\n├── test/                               ← Buildroot-based build \u0026 test environment\n│   ├── build.sh                        ← Interactive build script (CVE + kernel selection)\n│   ├── buildroot/                      ← Buildroot source tree\n│   ├── configs/                        ← Shared/base buildroot configs\n│   ├── patches/                        ← Per-kernel patch sets (linux-4.x ... 5.9.x)\n│   ├── linux-6.8/kernel/bpf/           ← Reference verifier source for diff/analysis\n│   └── CVEs/                           ← One folder per CVE under test\n│       ├── CVE-2023-39191/\n│       │   ├── configs/                ← Per-kernel buildroot + kernel configs\n│       │   │   ├── v6.0/\n│       │   │   └── v6.1/\n│       │   ├── exploit_overlay/\n│       │   └── src/\n│       ├── CVE-2024-42072/\n│       │   ├── configs/\n│       │   ├── exploit_overlay/\n│       │   └── src/\n│       ├── CVE-2024-43838/\n│       │   ├── configs/\n│       │   ├── exploit_overlay/\n│       │   └── src/\n│       ├── CVE-2024-45020/\n│       │   ├── configs/\n│       │   ├── exploit_overlay/\n│       │   └── src/\n│       └── CVE-2024-58100/\n│           ├── configs/\n│           ├── exploit_overlay/\n│           └── src/\n│\n├── exploits/                           ← Standalone exploit sources (outside Buildroot flow)\n│   ├── CVE-2023-39191/src/             ← poc.c, exploit.c \n│   ├── CVE-2024-42072/src/\n│   ├── CVE-2024-45020/src/\n│   └── CVE-2024-58100/src/             \n│\n├── report/                             ← LaTeX report\n│   ├── main.tex\n│   ├── compile.sh\n│   ├── src/                            ← Per-CVE chapter sources\n│   │   ├── CVE-2023-39191.tex\n│   │   ├── CVE-2024-42072.tex\n│   │   ├── CVE-2024-45020.tex\n│   │   └── CVE-2024-58100.tex\n│   ├── img/\n│   ├── out/                            ← Build artifacts (aux, log, ...)\n│   └── SVT_report.pdf                  ← Compiled PDF\n│\n└── presentation/                       ← LaTeX slides\n    ├── main.tex\n    ├── compile.sh\n    ├── img/\n    ├── out/\n    └── SVT_presentation.pdf            ← Compiled PDF\n```\n\n---\n\n## CVEs\n\n| CVE | Kernel Range | Bug Class | Memory Primitive | LPE Status |\n|-----|-------------|-----------|-----------------|------------|\n| CVE-2023-39191 | ≤ 6.1.19 / ≤ 6.2.6 | Dynptr type confusion (OOB via overlapping dynptrs on BPF stack) | Arbitrary OOB R/W via corrupted dynptr size | Full LPE (adaptive calibration + cred spray) |\n| CVE-2024-42072 | \u003c 6.10.2 | Verifier register state leak across subprog calls | OOB read primitive | Primitive confirmed, LPE in progress |\n| CVE-2024-45020 | \u003c 6.11 | Incorrect bounds check on stack-allocated dynptr | OOB R/W potential | PoC confirmed, exploitation analysis ongoing |\n| CVE-2024-58100 | 5.6 – 6.6.89 / 6.7 – 6.12.24 | Verifier omits `changes_pkt_data` propagation through GLOBAL subprog → stale `PTR_TO_PACKET` after `bpf_skb_change_head` | UAF R/W on freed `kmalloc-1024` slab | UAF R/W confirmed, full LPE(modprobe_path tampered) |\n\n---\n\n## Testing Environment\n\nThe project uses a Buildroot-based QEMU environment. `test/build.sh` handles kernel\nselection, config preparation, legacy option stripping, and build orchestration.\n\n```bash\ncd test/\n./build.sh        # Interactively select CVE + kernel, then build\n```\n\nAfter the build completes, boot QEMU with:\n\n```bash\ncd buildroot/\noutput/images/start-qemu.sh  --serial-only -- -m 9216\n```\n\n\u003e **Note:** `-m 9216` (9 GiB RAM) is **required** for CVE-2023-39191.\n\u003e The exploit's OOB target lands at ~8.2 GiB physical; less RAM makes it unreachable.\n\n| VM Detail | Value |\n|-----------|-------|\n| Rootfs | Buildroot minimal image |\n| Kernel | Per-CVE, selectable in build script |\n| Virtualization | QEMU (no KVM required) |\n| Login | `root` (no password) |\n| BPF | Enabled, unprivileged BPF allowed |\n| KASLR / RANDOMIZE_MEMORY | Disabled (for exploit reproducibility) |\n| Binary delivery | Via Buildroot overlay → `/root/` in VM |\n\n---\n\n## Building \u0026 Running\n\n### CVE-2023-39191 — Dynptr Type Confusion LPE\n\n```bash\n# Build Buildroot image for kernel 5.19 (vulnerable)\ncd test/\n./build.sh   # select CVE-2023-39191, kernel v5.19\n\n# Boot VM with 9 GB RAM\ncd buildroot/\noutput/images/start-qemu.sh  --serial-only -- -m 9216\n\n# Inside VM:\n/root/poc      # Verify OOB R/W primitive\n/home/user/exploit  # Full LPE → creates /tmp/rootsh\n/tmp/rootsh    # Spawn root shell\n```\n\n### CVE-2024-42072\n\n```bash\ncd test/\n./build.sh   # select CVE-2024-42072\n\ncd buildroot/\noutput/images/start-qemu.sh  --serial-only\n\n# Inside VM:\n/root/poc      # OOB read primitive demo\n/root/exploit  # Exploitation attempt\n```\n\n### CVE-2024-45020\n\n```bash\ncd test/\n./build.sh   # select CVE-2024-45020\n\ncd buildroot/\noutput/images/start-qemu.sh  --serial-only\n\n# Inside VM:\n/root/poc      # Dynptr OOB trigger\n/root/exploit  # Exploitation attempt\n```\n\n### CVE-2024-58100 — Stale PTR_TO_PACKET UAF\n\n```bash\ncd test/\n./build.sh   # select CVE-2024-58100, kernel v6.12.24\n\ncd buildroot/\noutput/images/start-qemu.sh -- -smp 4\n\n# Inside VM (login as user, uid=1000):\n/home/user/poc        # Verifier-accept demo (stale PTR_TO_PACKET load)\n/home/user/exploit    # UAF R/W primitive + PE attempt via pipe_buffer.ops\n```\n\n\u003e **Capabilities:** the init script (`exploit_overlay/etc/init.d/S99exploit`) grants\n\u003e `cap_bpf,cap_net_admin,cap_perfmon,cap_syslog+ep` to the exploit binary and sets\n\u003e `kptr_restrict=0`, `unprivileged_bpf_disabled=0`, `perf_event_paranoid=0`. This\n\u003e simulates a context where a service with BPF policy is compromised — CVE-2024-58100\n\u003e is **not** exploitable by a fully unprivileged user on modern kernels.\n\n---\n\n## Report\n\nThe full technical report (LaTeX + PDF) is in `report/`. It covers:\n- Methodology for CVE selection from the eBPF verifier bug class\n- Technical analysis of each CVE (patch diff, root cause, exploitation path)\n- Exploit design decisions and failed approaches\n- Results and conclusions\n\nPolitecnico di Torino — Cybersecurity (SVT) — A.Y. 2025/2026\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsroman0%2Fexplotability_analysis_ebpf","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsroman0%2Fexplotability_analysis_ebpf","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsroman0%2Fexplotability_analysis_ebpf/lists"}