Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Old kernel symbols dependency semantics broken #3382

Closed
NDStrahilevitz opened this issue Aug 13, 2023 · 1 comment · Fixed by #3384 or #3443
Closed

Old kernel symbols dependency semantics broken #3382

NDStrahilevitz opened this issue Aug 13, 2023 · 1 comment · Fixed by #3384 or #3443
Assignees
@rafaeldtinoco
Labels
kind/bug
Milestone
v0.18.0

Comments

@NDStrahilevitz
Copy link
Collaborator

Previously, kernel symbols dependency semantics differentiated between three cases:

  1. nil dependency - ksymbols irrelevant for the event.
  2. empty array event - ksymbols required but none need to be preloaded specifically.
  3. non-empty array - ksymbols required and specific symbols need to be preloaded.

Due to breaking this semantic, events such as print_mem_dump now fail when loading on their own:

tracee -e print_mem_dump.args.symbol_name=compat_filldir64
TIME             UID    COMM             PID     TID     RET              EVENT                     ARGS
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x20 pc=0x1ae51d1]

goroutine 1 [running]:
github.com/aquasecurity/tracee/pkg/ebpf.(*Tracee).triggerMemDump(_, {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ...})
        /home/ubuntu/tracee/pkg/ebpf/tracee.go:1691 +0xd91
github.com/aquasecurity/tracee/pkg/ebpf.(*Tracee).Run(0xc001952000, {0x315d968, 0xc000716140})
        /home/ubuntu/tracee/pkg/ebpf/tracee.go:1323 +0x165
github.com/aquasecurity/tracee/pkg/cmd.Runner.Run({{0xc000330000, 0xc000338070, 0xc00033b400, 0xc001d053d0, {0x0, 0x0}, 0x400, 0x400, 0x0, {0x0, ...}, ...}, ...}, ...)
        /home/ubuntu/tracee/pkg/cmd/tracee.go:87 +0x385
github.com/aquasecurity/tracee/cmd/tracee/cmd.glob..func4(0xc0007bfde0?, {0xc000040190?, 0x2?, 0x2?})
        /home/ubuntu/tracee/cmd/tracee/cmd/root.go:61 +0x258
github.com/spf13/cobra.(*Command).execute(0x3d39ac0, {0xc000040190, 0x2, 0x2})
        /home/ubuntu/go/pkg/mod/github.com/spf13/cobra@v1.7.0/command.go:944 +0x847
github.com/spf13/cobra.(*Command).ExecuteC(0x3d39ac0)
        /home/ubuntu/go/pkg/mod/github.com/spf13/cobra@v1.7.0/command.go:1068 +0x3bd
github.com/spf13/cobra.(*Command).Execute(...)
        /home/ubuntu/go/pkg/mod/github.com/spf13/cobra@v1.7.0/command.go:992
github.com/aquasecurity/tracee/cmd/tracee/cmd.Execute()
        /home/ubuntu/tracee/cmd/tracee/cmd/root.go:336 +0x34
main.main()
        /home/ubuntu/tracee/cmd/tracee/main.go:11 +0x19
@NDStrahilevitz NDStrahilevitz self-assigned this Aug 13, 2023
@NDStrahilevitz NDStrahilevitz added this to the v0.18.0 milestone Aug 13, 2023
@NDStrahilevitz NDStrahilevitz mentioned this issue Aug 13, 2023
Merged
@rafaeldtinoco rafaeldtinoco mentioned this issue Sep 5, 2023
Merged
@rafaeldtinoco rafaeldtinoco reopened this Sep 5, 2023
@rafaeldtinoco
Copy link
Contributor

Fix for this was reverted by #3436. I'm proposing a minor change that fixes this issue.

@rafaeldtinoco rafaeldtinoco mentioned this issue Sep 5, 2023
Merged
@yanivagman yanivagman linked a pull request Sep 6, 2023 that will close this issue
fix(definitions): ksymbols dependencies handled wrongly #3443
Merged
rafaeldtinoco added a commit that referenced this issue Sep 6, 2023
@rafaeldtinoco
fix(event): enable ksymbols engine for PrintMemDump (#3443)
c1c053a 
Commit 1a47a4e attempted to fix this issue by reverting some changes
made during the event definitions (and dependencies) refactor. That
change caused some regressions because of another fix made together,
but, since it was reverted, this commit fixes the same issue with a much
simpler approach (at least until the event definitions refactor work is
finished).

Fixes: #3382
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rafaeldtinoco rafaeldtinoco

Labels
kind/bug
Projects
None yet
Milestone
v0.18.0
3 participants
@rafaeldtinoco @NDStrahilevitz @AlonZivony