Cilium eBPF Integer Overflow Vulnerability in BTF String Offset Parsing

An integer overflow vulnerability has been identified in the Cilium eBPF library, specifically in versions through 0.21.0. The issue arises in the BTF (BPF Type Format) string-table offset validation within the `loadRawSpec` function of `btf/btf.go`. When a BTF record is malformed, it can set a string offset to a value that points beyond the actual data, leading the parser to panic instead of gracefully handling the error. This vulnerability can be exploited by manipulating BTF metadata in an ELF file, causing a runtime error that disrupts the parsing process. The problem has been publicly disclosed and could potentially be exploited in the wild.

Impact

Exploitation of this vulnerability causes a process-level denial of service, where the parsing worker crashes and cannot recover, leading to a failure in processing subsequent benign artifacts.

Reproduction

The vulnerability can be reproduced by using the Cilium eBPF library's public parsing functions. After mutating a valid ELF file to include a malformed BTF string offset, the `LoadCollectionSpecFromReader` function can be called, which will result in a panic instead of an error. This can be automated with a provided script that executes the necessary steps and documents the process.

Remediation

Users can update to Cilium eBPF version 0.21.0 or later, where this vulnerability has been fixed.