Skip to content
This repository has been archived by the owner on Apr 26, 2021. It is now read-only.

linux guest STAP parsing error #3077

Open
segulee opened this issue Jul 22, 2020 · 0 comments · May be fixed by #3078
Open

linux guest STAP parsing error #3077

segulee opened this issue Jul 22, 2020 · 0 comments · May be fixed by #3078

Comments

@segulee
Copy link

segulee commented Jul 22, 2020
edited
Loading

Thanks for creating an issue! But first: did you read our community guidelines?
https://cuckoo.sh/docs/introduction/community.html

My issue is: linux STAP parsing error (not actually error, but just mongodb key issue)
My Cuckoo version and operating system are:

cuckoo: Cuckoo 2.0.7
os: Ubuntu 18.04
guest: Ubuntu 18.04

This can be reproduced by:

while processing reporting module mongodb.py, when 'specific logs' come out.

The log, error, files etc can be found at:
part of stap logs:

Tue Jul 21 07:38:30 2020.301949 Cache2 I/O@7fd936dc94ea[1446] quotactl(Q_GETQUOTA|USRQUOTA, "ext4", 1000, {dqb_bhardlimit=3547209367405213234, dqb_bsoftlimit=3204155142452555552, dqb_curspace=7308613718863799666, dqb_ihardlimit=4207599493805798176, dqb_isoftlimit=3779778362997547057, ...}) = -13 (EACCES)

when it parsed as process call:
        {
            "status": "EACCES",
            "raw": "Tue Jul 21 07:38:30 2020.301949 Cache2 I/O@7fd936dc94ea[1446] quotactl(Q_GETQUOTA|USRQUOTA, \"ext4\", 1000, {dqb_bhardlimit=3547209367405213234, dqb_bsoftlimit=3204155142452555552, dqb_curspace=7308613718863799666, dqb_ihardlimit=4207599493805798176, dqb_isoftlimit=3779778362997547057, ...}) = -13 (EACCES)\n",
            "api": "quotactl",
            "return_value": "-13",
            "instruction_pointer": "7fd936dc94ea",
            "time": {
                "$date": 1595317110301
            },
            "process_name": "Cache2 I/O",
            "pid": 1446,
            "arguments": {
                "p2": "1000",
                "p3": {
                    "...": "",
                    "dqb_ihardlimit": "4207599493805798176",
                    "dqb_bhardlimit": "3547209367405213234",
                    "dqb_curspace": "7308613718863799666",
                    "dqb_bsoftlimit": "3204155142452555552",
                    "dqb_isoftlimit": "3779778362997547057"
                },
                "p0": "Q_GETQUOTA|USRQUOTA",
                "p1": "ext4"
            }
        },
logs:

2020-07-22 14:08:19,743 [cuckoo.core.plugins] ERROR: Failed to run the reporting module: MongoDB
Traceback (most recent call last):
File "/home/cuckoo/Desktop/207/local/lib/python2.7/site-packages/cuckoo/core/plugins.py", line 659, in process
current.run(self.results)
File "/home/cuckoo/Desktop/207/local/lib/python2.7/site-packages/cuckoo/reporting/mongodb.py", line 225, in run
chunk_id = self.db.calls.insert(to_insert)
File "/home/cuckoo/Desktop/207/local/lib/python2.7/site-packages/pymongo/collection.py", line 1926, in insert
check_keys, manipulate, write_concern)
File "/home/cuckoo/Desktop/207/local/lib/python2.7/site-packages/pymongo/collection.py", line 430, in _insert
gen(), check_keys, self.codec_options, sock_info)
InvalidDocument: key '...' must not contain '.'

the problem is:
            "arguments": {
                "p2": "1000",
                "p3": {
                    "...": "",
                    "dqb_ihardlimit": "4207599493805798176",
                    "dqb_bhardlimit": "3547209367405213234",
                    "dqb_curspace": "7308613718863799666",
                    "dqb_bsoftlimit": "3204155142452555552",
                    "dqb_isoftlimit": "3779778362997547057"
                },

"...":"" is produced while parsing arguments of stap logs.
and it comes to mongodb, InvalidDocument: key '...' must not contain '.' is coming out

to solve this:

i think the arguments "..." is not important, so

cuckoo - processing.platform.linux.py

    def parse_struct(self, argstr):
        # Return as regular array if elements aren't named.
        if "=" not in argstr:
            return self.parse_array(argstr.lstrip("{"))

        # Return as dict, parse value as array and struct when appropriate.
        parsed = {}
        arg = argstr.lstrip("{")
        while arg:
            key, _, arg = arg.partition("=")

            """this part"""
            if key == "...":
                continue

            delim = self.get_delim(arg)
            if delim != ", ":
                delim += ", "
            val, _, arg = arg.partition(delim)
            parsed[key] = self.parse_arg(val)

        return parsed

or

    def parse_struct(self, argstr):
        # Return as regular array if elements aren't named.
        if "=" not in argstr:
            return self.parse_array(argstr.lstrip("{"))

        # Return as dict, parse value as array and struct when appropriate.
        parsed = {}
        arg = argstr.lstrip("{")
        while arg:
            key, _, arg = arg.partition("=")

            """this part"""
            if not arg:
                continue

            delim = self.get_delim(arg)
            if delim != ", ":
                delim += ", "
            val, _, arg = arg.partition(delim)
            parsed[key] = self.parse_arg(val)

        return parsed

thank you
@segulee segulee linked a pull request Jul 22, 2020 that will close this issue
Open
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

#3077 fix parsing error issue segulee/cuckoo
1 participant
@segulee