Inspektor Gadget: Tracing Denial of Service via Event Flooding

Inspektor Gadget is a set of tools and framework for data collection and system inspection on Kubernetes clusters and Linux hosts using eBPF. Prior to 0.50.1, in a situation where the ring-buffer of a gadget is – incidentally or maliciously – already full, the gadget will silently drop events. The include/gadget/buffer.h file contains definitions for the Buffer API that gadgets can use to, among the other things, transfer data from eBPF programs to userspace. For hosts running a modern enough Linux kernel (>= 5.8), this transfer mechanism is based on ring-buffers. The size of the ring-buffer for the gadgets is hard-coded to 256KB. When a gadget_reserve_buf fails because of insufficient space, the gadget silently cleans up without producing an alert. The lost count reported by the eBPF operator, when using ring-buffers – the modern choice – is hardcoded to zero. The vulnerability can be used by a malicious event source (e.g. a compromised container) to cause a Denial Of Service, forcing the system to drop events coming from other containers (or the same container). This vulnerability is fixed in 0.50.1.

N/A

安全相关信息的遗漏

Inspektor Gadget 安全漏洞

Inspektor Gadget是Inspektor Gadget公司的一套基于 eBPF 的工具和框架。 Inspektor Gadget 0.50.1之前版本存在安全漏洞，该漏洞源于环形缓冲区已满时静默丢弃事件且丢失计数硬编码为零，可能导致恶意事件源引发拒绝服务攻击。

N/A

N/A