Listen to this Post
The Java TLS ioctl probe in OBI versions up to v0.0.0-rc.1+build reads a user‑controlled ioctl pointer using `bpf_probe_read` instead of the user‑space‑safe bpf_probe_read_user. This allows an instrumented local process to supply a kernel pointer and have kernel memory copied into telemetry.
The vulnerable code resides in bpf/generictracer/java_tls.c. The kprobe hooks do_vfs_ioctl, filters on `fd == 0` and a magic Java TLS command, then treats the third ioctl argument as a structured buffer. It reads fields from that pointer using bpf_probe_read, including:
– the operation byte from `arg`
– connection metadata from `arg + 1`
– the payload length from `arg + 1 + sizeof(connection_info_t)`
If len > 0, it computes `buf = arg + 1 + sizeof(connection_info_t) + sizeof(u32)` and passes that pointer into handle_buf_with_connection. The next stage, bpf/generictracer/k_tracer_defs.h, uses `bpf_probe_read(args->small_buf, MIN_HTTP2_SIZE, (void )args->u_buf)` on the supplied pointer and tail‑calls deeper protocol logic. The HTTP protocol path then reads from `u_buf` and emits the bytes through `bpf_ringbuf_output` in bpf/generictracer/protocol_http.h.
Because the ioctl pointer originates in user space, the probe should be using `bpf_probe_read_user` with strict length validation. Using `bpf_probe_read` makes it possible for an instrumented process to supply a kernel pointer and exfiltrate kernel‑resident bytes into telemetry.
DailyCVE Form
Platform: Linux x86_64
Version: v0.0.0-rc.1+build
Vulnerability: Kernel memory disclosure
Severity: Critical
date: 2026-05-18
Prediction: Patch due mid‑June 2026
What Undercode Say:
Analytics
List all OBI processes and check their BPF programs sudo bpftool prog list | grep -A 5 "java_tls" Monitor ioctl calls for the Java TLS magic command sudo strace -e ioctl -p $(pidof obi) 2>&1 | grep "0x0b10b1" Check if the kernel pointer is being read by OBI's eBPF probe sudo cat /sys/kernel/debug/tracing/trace_pipe | grep "bpf_probe_read"
How Exploit:
- Compile the PoC – Use the provided C code to issue the magic ioctl on fd 0 with a kernel pointer (e.g.,
0xffff888000000000). - Trigger the probe – Run the compiled binary on a vulnerable OBI installation.
- Exfiltrate data – The OBI agent will read the kernel memory at the supplied address and send it through the telemetry pipeline.
Protection from this CVE:
- Upgrade OBI – Apply any future patch that replaces `bpf_probe_read` with `bpf_probe_read_user` and adds length validation.
- Disable Java TLS instrumentation – If not critical, turn off the Java TLS feature to block the vulnerable probe.
- Restrict BPF access – Ensure only trusted users can load eBPF programs (e.g., using `BPF_LSM` or
CAP_BPF).
Impact:
- Confidentiality – Any kernel memory that the attacker can point to is leaked into the telemetry system, potentially exposing encryption keys, user data, or system secrets.
- Local privilege escalation – Although the OBI agent runs with elevated privileges, the leak is one‑way; however, the disclosed memory may be used to bypass KASLR or other kernel protections.
- Availability – The vulnerability is primarily an information disclosure; it does not directly affect system stability.
References:
- The ’s PoC and reproduction steps (provided in the original text)
- Linux kernel BPF helper documentation: `bpf_probe_read` vs `bpf_probe_read_user`
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

