You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
While aware of #2870, we still need to support/fix current tracee event context, as it has data types overflows that are likely causing context to be lost (all uint32 values, from the eBPF context, might be overflowed when decoded into Event struct, such as the PIDNS value, declared as int, which defaults to very high numbers in my env).
The new event.proto takes care of correct types (using google.protobuf.UInt32Value in the right places, kudos to @josedonizetti).
More details
While playing with some marshalling and unmarshalling ideas (for other output printers, for example), I got the following error after a event -> json -> parquet conversion:
typeEventstruct {
Timestampint`json:"timestamp"`ThreadStartTimeint`json:"threadStartTime"`ProcessorIDint`json:"processorId"`ProcessIDint`json:"processId"`CgroupIDuint`json:"cgroupId"`ThreadIDint`json:"threadId"`ParentProcessIDint`json:"parentProcessId"`HostProcessIDint`json:"hostProcessId"`HostThreadIDint`json:"hostThreadId"`HostParentProcessIDint`json:"hostParentProcessId"`UserIDint`json:"userId"`MountNSint`json:"mountNamespace"`PIDNSint`json:"pidNamespace"`ProcessNamestring`json:"processName"`ExecutableFile`json:"executable"`HostNamestring`json:"hostName"`ContainerIDstring`json:"containerId"`ContainerContainer`json:"container,omitempty"`KubernetesKubernetes`json:"kubernetes,omitempty"`EventIDint`json:"eventId,string"`EventNamestring`json:"eventName"`PoliciesVersionuint16`json:"-"`MatchedPoliciesKerneluint64`json:"-"`MatchedPoliciesUseruint64`json:"-"`MatchedPolicies []string`json:"matchedPolicies,omitempty"`ArgsNumint`json:"argsNum"`ReturnValueint`json:"returnValue"`Syscallstring`json:"syscall"`StackAddresses []uint64`json:"stackAddresses"`ContextFlagsContextFlags`json:"contextFlags"`ThreadEntityIduint32`json:"threadEntityId"`// thread task unique identifier (*)ProcessEntityIduint32`json:"processEntityId"`// process unique identifier (*)ParentEntityIduint32`json:"parentEntityId"`// parent process unique identifier (*)Args []Argument`json:"args"`// args are ordered according their appearance in the original eventMetadata*Metadata`json:"metadata,omitempty"`
}
The event struct dates from 2020 and since the beginning has uin32 types declared as ints. We probably never payed hard attention because most of the values don't overflow often (and if they do we wouldn't catch in any test I believe). But the default PID namespaces are overflowing in my environments. It happened by accident because Parquet does not support unsigned integers on its data format.
The text was updated successfully, but these errors were encountered:
Is this awaiting any related changes or can I tackle the Eventint change to uint32?
Please do tackle this. Make sure to test it extensively (including internal E2E) because Im a bit afraid of this change. Let me know if you need anything. Thanks a lot!
@geyslan@rafaeldtinoco yeah, I think waiting is for the best now since it seems we will migrate the event structure for the 0.20.0 release, but if we see it is not the case in the next few weeks, this can should indeed be fixed.
Description
While aware of #2870, we still need to support/fix current tracee event context, as it has data types overflows that are likely causing context to be lost (all uint32 values, from the eBPF context, might be overflowed when decoded into
Event struct
, such as the PIDNS value, declared asint
, which defaults to very high numbers in my env).More details
While playing with some marshalling and unmarshalling ideas (for other output printers, for example), I got the following error after a event -> json -> parquet conversion:
and:
and
isn't quite an unsigned 32 bit overflow but it is a signed 32 bit overflow.
Meaning that a bunch of Event fields that are
int
should actually beuint32
:The event struct dates from 2020 and since the beginning has uin32 types declared as ints. We probably never payed hard attention because most of the values don't overflow often (and if they do we wouldn't catch in any test I believe). But the default PID namespaces are overflowing in my environments. It happened by accident because Parquet does not support unsigned integers on its data format.
The text was updated successfully, but these errors were encountered: