OpenTelemetry eBPF Instrumentation Buffer Overread and Memory Overwrite Vulnerability

A memory safety vulnerability has been identified in OpenTelemetry eBPF Instrumentation's log enricher component, specifically in versions 0.7.0 prior to 0.9.0. The issue arises from improper handling of multi-segment writev buffers. The log enricher reads only the first segment of the buffer while using the total byte count of all segments as the length for copying data. This discrepancy can be exploited when log injection is enabled, allowing crafted writev calls to cause the log enricher to read and overwrite memory beyond the first segment. Such exploitation can corrupt adjacent application buffers, leak memory into log events, and potentially destabilize the instrumented process.

Impact

Exploitation of this vulnerability leads to out-of-bounds memory read and write operations, causing memory corruption, disclosure of adjacent memory, and possible instability or crashes in the affected process.

Reproduction

The vulnerability can be reproduced by creating a program that performs a two-segment writev operation, with the first segment being short and the second segment large. This program can be compiled and run to generate the vulnerable writev pattern. Once the program is running, OpenTelemetry's OBI tool can be attached to the process with log enrichment enabled, triggering the vulnerability by overwriting memory beyond the first writev segment.

Remediation

Users can upgrade to OpenTelemetry eBPF Instrumentation version 0.9.0 or later, where this vulnerability has been patched.