https://github.com/sroman0/explotability_analysis_ebpf
Exploitability analysis of Linux eBPF verifier CVEs, including PoCs, exploit primitives, and a Buildroot/QEMU test environment for kernel vulnerability research and LPE studies.
https://github.com/sroman0/explotability_analysis_ebpf
bpf-verifier buildroot cve-analysis cybersecurity dos ebpf exploit-development information-leakage kernel-security linux-kernel poc privilege-escalation qemu security-research vulnerability-research
Last synced: about 11 hours ago
JSON representation
Exploitability analysis of Linux eBPF verifier CVEs, including PoCs, exploit primitives, and a Buildroot/QEMU test environment for kernel vulnerability research and LPE studies.
- Host: GitHub
- URL: https://github.com/sroman0/explotability_analysis_ebpf
- Owner: sroman0
- Created: 2026-06-20T16:39:51.000Z (11 days ago)
- Default Branch: main
- Last Pushed: 2026-06-20T17:05:45.000Z (11 days ago)
- Last Synced: 2026-06-20T18:22:53.365Z (11 days ago)
- Topics: bpf-verifier, buildroot, cve-analysis, cybersecurity, dos, ebpf, exploit-development, information-leakage, kernel-security, linux-kernel, poc, privilege-escalation, qemu, security-research, vulnerability-research
- Language: C
- Homepage:
- Size: 3.83 MB
- Stars: 1
- Watchers: 0
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# eBPF Verifier Exploit Research — s344024 Romano Simone
Research project for the Security Verification and Testing (SVT) course —
analysis and exploit development for eBPF verifier vulnerabilities in the Linux kernel.
The primary focus is identifying unpatched or unexploited CVEs in `kernel/bpf/verifier.c`,
writing proofs of concept, and developing memory read/write primitives suitable for
Local Privilege Escalation (LPE).
---
## Project Structure
```
s344024_Romano_Simone/
│
├── test/ ← Buildroot-based build & test environment
│ ├── build.sh ← Interactive build script (CVE + kernel selection)
│ ├── buildroot/ ← Buildroot source tree
│ ├── configs/ ← Shared/base buildroot configs
│ ├── patches/ ← Per-kernel patch sets (linux-4.x ... 5.9.x)
│ ├── linux-6.8/kernel/bpf/ ← Reference verifier source for diff/analysis
│ └── CVEs/ ← One folder per CVE under test
│ ├── CVE-2023-39191/
│ │ ├── configs/ ← Per-kernel buildroot + kernel configs
│ │ │ ├── v6.0/
│ │ │ └── v6.1/
│ │ ├── exploit_overlay/
│ │ └── src/
│ ├── CVE-2024-42072/
│ │ ├── configs/
│ │ ├── exploit_overlay/
│ │ └── src/
│ ├── CVE-2024-43838/
│ │ ├── configs/
│ │ ├── exploit_overlay/
│ │ └── src/
│ ├── CVE-2024-45020/
│ │ ├── configs/
│ │ ├── exploit_overlay/
│ │ └── src/
│ └── CVE-2024-58100/
│ ├── configs/
│ ├── exploit_overlay/
│ └── src/
│
├── exploits/ ← Standalone exploit sources (outside Buildroot flow)
│ ├── CVE-2023-39191/src/ ← poc.c, exploit.c
│ ├── CVE-2024-42072/src/
│ ├── CVE-2024-45020/src/
│ └── CVE-2024-58100/src/
│
├── report/ ← LaTeX report
│ ├── main.tex
│ ├── compile.sh
│ ├── src/ ← Per-CVE chapter sources
│ │ ├── CVE-2023-39191.tex
│ │ ├── CVE-2024-42072.tex
│ │ ├── CVE-2024-45020.tex
│ │ └── CVE-2024-58100.tex
│ ├── img/
│ ├── out/ ← Build artifacts (aux, log, ...)
│ └── SVT_report.pdf ← Compiled PDF
│
└── presentation/ ← LaTeX slides
├── main.tex
├── compile.sh
├── img/
├── out/
└── SVT_presentation.pdf ← Compiled PDF
```
---
## CVEs
| CVE | Kernel Range | Bug Class | Memory Primitive | LPE Status |
|-----|-------------|-----------|-----------------|------------|
| CVE-2023-39191 | ≤ 6.1.19 / ≤ 6.2.6 | Dynptr type confusion (OOB via overlapping dynptrs on BPF stack) | Arbitrary OOB R/W via corrupted dynptr size | Full LPE (adaptive calibration + cred spray) |
| CVE-2024-42072 | < 6.10.2 | Verifier register state leak across subprog calls | OOB read primitive | Primitive confirmed, LPE in progress |
| CVE-2024-45020 | < 6.11 | Incorrect bounds check on stack-allocated dynptr | OOB R/W potential | PoC confirmed, exploitation analysis ongoing |
| CVE-2024-58100 | 5.6 – 6.6.89 / 6.7 – 6.12.24 | Verifier omits `changes_pkt_data` propagation through GLOBAL subprog → stale `PTR_TO_PACKET` after `bpf_skb_change_head` | UAF R/W on freed `kmalloc-1024` slab | UAF R/W confirmed, full LPE(modprobe_path tampered) |
---
## Testing Environment
The project uses a Buildroot-based QEMU environment. `test/build.sh` handles kernel
selection, config preparation, legacy option stripping, and build orchestration.
```bash
cd test/
./build.sh # Interactively select CVE + kernel, then build
```
After the build completes, boot QEMU with:
```bash
cd buildroot/
output/images/start-qemu.sh --serial-only -- -m 9216
```
> **Note:** `-m 9216` (9 GiB RAM) is **required** for CVE-2023-39191.
> The exploit's OOB target lands at ~8.2 GiB physical; less RAM makes it unreachable.
| VM Detail | Value |
|-----------|-------|
| Rootfs | Buildroot minimal image |
| Kernel | Per-CVE, selectable in build script |
| Virtualization | QEMU (no KVM required) |
| Login | `root` (no password) |
| BPF | Enabled, unprivileged BPF allowed |
| KASLR / RANDOMIZE_MEMORY | Disabled (for exploit reproducibility) |
| Binary delivery | Via Buildroot overlay → `/root/` in VM |
---
## Building & Running
### CVE-2023-39191 — Dynptr Type Confusion LPE
```bash
# Build Buildroot image for kernel 5.19 (vulnerable)
cd test/
./build.sh # select CVE-2023-39191, kernel v5.19
# Boot VM with 9 GB RAM
cd buildroot/
output/images/start-qemu.sh --serial-only -- -m 9216
# Inside VM:
/root/poc # Verify OOB R/W primitive
/home/user/exploit # Full LPE → creates /tmp/rootsh
/tmp/rootsh # Spawn root shell
```
### CVE-2024-42072
```bash
cd test/
./build.sh # select CVE-2024-42072
cd buildroot/
output/images/start-qemu.sh --serial-only
# Inside VM:
/root/poc # OOB read primitive demo
/root/exploit # Exploitation attempt
```
### CVE-2024-45020
```bash
cd test/
./build.sh # select CVE-2024-45020
cd buildroot/
output/images/start-qemu.sh --serial-only
# Inside VM:
/root/poc # Dynptr OOB trigger
/root/exploit # Exploitation attempt
```
### CVE-2024-58100 — Stale PTR_TO_PACKET UAF
```bash
cd test/
./build.sh # select CVE-2024-58100, kernel v6.12.24
cd buildroot/
output/images/start-qemu.sh -- -smp 4
# Inside VM (login as user, uid=1000):
/home/user/poc # Verifier-accept demo (stale PTR_TO_PACKET load)
/home/user/exploit # UAF R/W primitive + PE attempt via pipe_buffer.ops
```
> **Capabilities:** the init script (`exploit_overlay/etc/init.d/S99exploit`) grants
> `cap_bpf,cap_net_admin,cap_perfmon,cap_syslog+ep` to the exploit binary and sets
> `kptr_restrict=0`, `unprivileged_bpf_disabled=0`, `perf_event_paranoid=0`. This
> simulates a context where a service with BPF policy is compromised — CVE-2024-58100
> is **not** exploitable by a fully unprivileged user on modern kernels.
---
## Report
The full technical report (LaTeX + PDF) is in `report/`. It covers:
- Methodology for CVE selection from the eBPF verifier bug class
- Technical analysis of each CVE (patch diff, root cause, exploitation path)
- Exploit design decisions and failed approaches
- Results and conclusions
Politecnico di Torino — Cybersecurity (SVT) — A.Y. 2025/2026