Impact
What kind of vulnerability is it? Who is impacted?
A bug in the driver (i.e., the kernel module) shipped with Falco could lead to a kernel panic (NULL pointer dereference) on some newer kernels when the user kills or interrupts a process. However, the bug should be seen more as a usability issue than a security problem.
PoC:
sleep 10 & (killall -9 sleep)
Backtrace:
[
70.681021] BUG: unable to handle kernel NULL pointer dereference at
0000000000000010
[...]
[
70.681355] Call Trace:
[
70.681370] ? record_event_consumer.part.4+0x300/0xb00 [sysdig_probe]
[
70.681388] record_event_all_consumers+0x76/0xb0 [sysdig_probe]
[
70.681406] signal_deliver_probe+0x48/0x70 [sysdig_probe]
[
70.681424] get_signal+0x352/0x760
[
70.681450] do_signal+0x36/0x640
[
70.681466] ? record_event_all_consumers+0x8b/0xb0 [sysdig_probe]
[
70.681484] ? syscall_exit_probe+0x11a/0x130 [sysdig_probe]
[
70.681500] exit_to_usermode_loop+0xbf/0xe0
[
70.681513] do_syscall_64+0x157/0x180
[
70.681530] entry_SYSCALL_64_after_hwframe+0x44/0xa9
Only users using Falco versions before 0.18.0 with the kernel module on kernels greater than 5.1.8 are impacted.
Patches
Has the problem been patched? What versions should users upgrade to?
The problem has been addressed by commit 94ca286 on Jul 29, 2019.
Users should upgrade to Falco 0.18.0 or later.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
No workaround available, a version upgrade to 0.18.0 (which uses a Falco kernel module containing the above-mentioned commit) or later is needed.
References
Are there any links users can visit to find out more?
For Linux kernels greater than 5.1.8 get_signal passes a NULL pointer to the tracer function when the process is terminated, see https://elixir.bootlin.com/linux/v5.1.8/source/kernel/signal.c#L2444. The patch always verifies (also before accessing struct elements) whether the pointer passed by get_signal is NULL or not to avoid invalid memory access in record_event_consumer.
For more information
If you have any questions or comments about this advisory:
Impact
What kind of vulnerability is it? Who is impacted?
A bug in the driver (i.e., the kernel module) shipped with Falco could lead to a kernel panic (NULL pointer dereference) on some newer kernels when the user kills or interrupts a process. However, the bug should be seen more as a usability issue than a security problem.
PoC:
sleep 10 & (killall -9 sleep)Backtrace:
Only users using Falco versions before 0.18.0 with the kernel module on kernels greater than 5.1.8 are impacted.
Patches
Has the problem been patched? What versions should users upgrade to?
The problem has been addressed by commit 94ca286 on Jul 29, 2019.
Users should upgrade to Falco 0.18.0 or later.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
No workaround available, a version upgrade to 0.18.0 (which uses a Falco kernel module containing the above-mentioned commit) or later is needed.
References
Are there any links users can visit to find out more?
For Linux kernels greater than 5.1.8
get_signalpasses aNULLpointer to the tracer function when the process is terminated, see https://elixir.bootlin.com/linux/v5.1.8/source/kernel/signal.c#L2444. The patch always verifies (also before accessing struct elements) whether the pointer passed byget_signalisNULLor not to avoid invalid memory access inrecord_event_consumer.For more information
If you have any questions or comments about this advisory: