Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

bpf: bump prepend_name underlying buffer size 4096 #2764

Merged
merged 4 commits into from
Aug 7, 2024

Conversation

mtardy
Copy link
Member

@mtardy mtardy commented Aug 2, 2024

Fixes #2758

Description

The matchBinaries Prefix operator fails to match a path longer than 256 chars because of the way we read the binary path. We use the exe of the process and walk the dentry from end to beginning. Thus if the path is too long, the buffer contains an incorrect start.

Changelog

Fix a bug related to the matchBinaries Prefix operator by increasing the buffer size used by our dentry walk. Now the matchBinaries Prefix operator can correctly trigger a match on any path above 255 chars.

@mtardy mtardy added area/bpf This is related to BPF code release-note/bug This PR fixes an issue in a previous release of Tetragon. labels Aug 2, 2024
@mtardy mtardy requested a review from a team as a code owner August 2, 2024 15:45
@mtardy mtardy requested a review from tixxdz August 2, 2024 15:45
Copy link

netlify bot commented Aug 2, 2024

Deploy Preview for tetragon ready!

Name Link
🔨 Latest commit 4636210
🔍 Latest deploy log https://app.netlify.com/sites/tetragon/deploys/66b1118b2f162d000700d93e
😎 Deploy Preview https://deploy-preview-2764--tetragon.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

@mtardy mtardy force-pushed the pr/mtardy/fix-mb-prefix branch 2 times, most recently from 5d77188 to d6b22ce Compare August 2, 2024 15:50
@mtardy
Copy link
Member Author

mtardy commented Aug 2, 2024

cc @anfedotoff

@anfedotoff
Copy link
Contributor

Nice! Thanks, @mtardy. It seems that I can close #2718 you already cherry-picked the test.

@mtardy
Copy link
Member Author

mtardy commented Aug 2, 2024

Nice! Thanks, @mtardy. It seems that I can close #2718 you already cherry-picked the test.

yeah I need to rework the test a little bit as well it seems to not work.

@mtardy mtardy force-pushed the pr/mtardy/fix-mb-prefix branch 4 times, most recently from 3c37657 to d5ad471 Compare August 2, 2024 17:14
bpf/process/bpf_execve_event.c Outdated Show resolved Hide resolved
mtardy added a commit to cilium/little-vm-helper-images that referenced this pull request Aug 5, 2024
I bumped into a bug when testing cilium/tetragon#2764 with the current
rhel8 kernel and it was later fixed.

Signed-off-by: Mahe Tardy <[email protected]>
mtardy added a commit to cilium/little-vm-helper-images that referenced this pull request Aug 5, 2024
I bumped into a bug when testing cilium/tetragon#2764 with the current
rhel8 kernel and it was later fixed.

Signed-off-by: Mahe Tardy <[email protected]>
@mtardy
Copy link
Member Author

mtardy commented Aug 5, 2024

I bumped into a rhel8 (rocky 8.6) bug, let's bump to a newer 8.9 that is fixed cilium/little-vm-helper-images#612.

@mtardy mtardy force-pushed the pr/mtardy/fix-mb-prefix branch from d5ad471 to 4636210 Compare August 5, 2024 17:53
@mtardy mtardy requested a review from kevsecurity August 5, 2024 17:53
@mtardy mtardy force-pushed the pr/mtardy/fix-mb-prefix branch from 4636210 to 5a7165f Compare August 5, 2024 17:55
@kevsecurity
Copy link
Contributor

CI looks pretty red ❓

@mtardy
Copy link
Member Author

mtardy commented Aug 6, 2024

CI looks pretty red ❓

oh boy I just rebased and made the tiny change and indeed it seems everything is broken

@mtardy mtardy force-pushed the pr/mtardy/fix-mb-prefix branch from 5a7165f to 6ffb5cd Compare August 6, 2024 12:05
@mtardy mtardy force-pushed the pr/mtardy/fix-mb-prefix branch from 6ffb5cd to f795fab Compare August 6, 2024 12:16
@kevsecurity
Copy link
Contributor

I think you need make format

We need this because when reading exe for large path (>256) we ended up
having only part of the end (since we walk the dentry from end to start)
and thus the prefix match wasn't working. We still don't need to keep
the whole path, but it needs to be correct.

Signed-off-by: Mahe Tardy <[email protected]>
mtardy and others added 2 commits August 6, 2024 16:56
Adding test that has Prefix operator in matchBinaries selector. The file
path of the test binary (true) being executed is larger than 256 bytes:
it should be around 3900 chars.

Co-authored-by: Mahe Tardy <[email protected]>
Signed-off-by: Andrei Fedotov <[email protected]>
@mtardy mtardy force-pushed the pr/mtardy/fix-mb-prefix branch from f795fab to e73a0a0 Compare August 6, 2024 14:58
Copy link
Contributor

@kevsecurity kevsecurity left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

A kernel bug fails to trigger the BPF program hooked on a tracepoint if
the binary name passed as parameter is long enough, you can trigger it
with a long path, using mtardy/pathgen for example and bpftrace:

bpftrace -e 'tracepoint:sched:sched_process_exec { printf("execute\n"); }'

Under rhel8.6, if the path is long enough (>3000 for example), the BPF
prog will not be triggered.

Signed-off-by: Mahe Tardy <[email protected]>
@mtardy mtardy requested a review from willfindlay as a code owner August 7, 2024 09:22
@mtardy mtardy merged commit 4873362 into main Aug 7, 2024
45 checks passed
@mtardy mtardy deleted the pr/mtardy/fix-mb-prefix branch August 7, 2024 10:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/bpf This is related to BPF code release-note/bug This PR fixes an issue in a previous release of Tetragon.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

matchBinaries Prefix operator fails to match path longer than 256 chars
3 participants