Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Infrequent Segfaults for CAPSET_X #817

Closed
adduali1310 opened this issue Dec 28, 2022 · 5 comments · Fixed by #818
Closed

Infrequent Segfaults for CAPSET_X #817

adduali1310 opened this issue Dec 28, 2022 · 5 comments · Fixed by #818
Assignees
@Andreagit97
Labels
kind/bug Something isn't working

Comments

@adduali1310
Copy link
Contributor

adduali1310 commented Dec 28, 2022
edited
Loading

Describe the bug

Noticed segfaults when running Falco. These segfaults seem to be intermittent and not very frequent.
Tried to enable log-level debug to figure out the issue, but that was not very helpful.

Tried to examine the coredump and on doing so, I can see the segfault occurs for the PPME_CAPSET_X event case i.e when trying to parse the event for capset_exit on the following line : https://github.com/falcosecurity/libs/blob/3.0.1+driver/userspace/libsinsp/parsers.cpp#L5697

Further tried to examine the issue via gdb and I can see that the threadinfo in the coredump is a nullptr and the threadinfo reference ( m_tinfo_ref) is also empty. The rest of the evt struct seems to have expected values.

Although the capset syscall is to set capabilities of a thread, my guess is some of the starting events have been missed as a result of which the threadinfo is a nullptr.

I can see similar nullptr checks through out the code file which I think handles this issue for specific cases.
Ex - https://github.com/falcosecurity/libs/blob/3.0.1+driver/userspace/libsinsp/parsers.cpp#L2358
https://github.com/falcosecurity/libs/blob/3.0.1+driver/userspace/libsinsp/parsers.cpp#L2827

How to reproduce it

For now seems to be very intermittent which makes me believe that this happens only when some start information is missed.

Edit: Submitted a PR that should help handle the issue.
Expected behaviour

No Segfaults should occur.

Environment

  • Falco version:

Falco version: 0.33.1-1-48a2c44b
Libs version: 0.9.0
Plugin API: 2.0.0
Driver:
API version: 2.0.0
Schema version: 2.0.0
Default driver: 3.0.1+driver
Machine: x86_64
System: Linux Debian
OS: Debian GNU/Linux 11 (bullseye)
Kernel: 5.15.76
Installation method: From Source
@adduali1310 adduali1310 added the kind/bug Something isn't working label Dec 28, 2022
@adduali1310 adduali1310 mentioned this issue Dec 28, 2022
Merged
@jasondellaluce
Copy link
Contributor

cc @loresuso

@loresuso
Copy link
Member

loresuso commented Jan 4, 2023
edited
Loading

Hi @adduali1310, thank you for noticing this.
I agree with you that we are missing a check on evt->m_tinfo being not null before dereferencing it as we also do in other parsers, thanks for your PR!
It would be interesting to understand when this actually happens.

@Andreagit97 Andreagit97 self-assigned this Jan 4, 2023
@Andreagit97
Copy link
Member

@adduali1310 thank you very much for the investigation and for the fix!

@adduali1310
Copy link
Contributor Author

Thanks for the feedback folks.

As to your point @loresuso about when this happens, I do not have any hypothesis about it currently but will try to investigate further to get a better idea. Do you have any thoughts on when this might happen?

Apart from this, wanted to bring up a couple of other points as well.

I was going through the userspace/libsinsp/parsers.cpp file source code and found a couple more issues:

  1. The check for thread information needs to be included in a couple more parsers. It is included in most parsers that utilize the thread information apart from a few. I have those changes ready. I could either add those as separate commits to this PR(fix: handle capset_x missing thread_info #818) or create a different PR if it is better to track that information separately since this specifically deals with the CAPSET_X parser.

  2. Another point is regarding consistency. While going through the source code I noticed the evt->m_tinfo being compared to a nullptr in some places , NULL in some and a logical NOT check in others. While functionally all work, it is fairly inconsistent and difficult to read.

Ex- https://github.com/falcosecurity/libs/blob/master/userspace/libsinsp/parsers.cpp#L223 (NULL check)
https://github.com/falcosecurity/libs/blob/master/userspace/libsinsp/parsers.cpp#L849 (negation check)
https://github.com/falcosecurity/libs/blob/master/userspace/libsinsp/parsers.cpp#L2430 (nullptr check)

I don't mind submitting a PR for making the file more consistent but wanted to get all of your thoughts on this.

@loresuso
Copy link
Member

loresuso commented Jan 5, 2023

Hi @adduali1310,
I agree with you! Personally, I'd open another PR to address the addition of the check to the other parsers and the consistency problem. I guess I would stick with the use of nullptr since parsers.cpp is indeed a C++ file, but let's wait also for the opinion of the other folks.

Anyway, I believe the segfault occurred because of some dropped events and the reset function that we call at the beginning of the processing of each event couldn't find an entry in the thread table for the event thread id, so the tinfo was kept to null

@adduali1310 adduali1310 mentioned this issue Jan 24, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Andreagit97 Andreagit97

Labels
kind/bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: handle capset_x missing thread_info adduali1310/libs
4 participants
@jasondellaluce @loresuso @adduali1310 @Andreagit97