Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Falco hogs all memory and crashes server upon invalid yaml #3281

Closed
MprBol opened this issue Jul 18, 2024 · 13 comments · Fixed by #3394
Closed

Falco hogs all memory and crashes server upon invalid yaml #3281

MprBol opened this issue Jul 18, 2024 · 13 comments · Fixed by #3394
Labels
Milestone

Comments

@MprBol
Copy link

MprBol commented Jul 18, 2024

Describe the bug

Upon invalid yaml, the falco process may hog all available memory by calling brk() -- resulting in unresponsive server due to all memory+swap+cpu being used by the falco process.

How to reproduce it

Create the following macro

- macro: exclude_commands
  condition:
    (user.uid = 1001 and user.loginuid in (-1, 1001) and proc.exepath = "/usr/bin/script" and proc.args in (
"/usr/local/bin/script_metrics.sh",
    "-c rsync"
    )  )

(Note the indentation error in the yaml above)

And start falco

Expected behaviour

Falco to error with the invalid yaml

Screenshots

Environment

  • Falco version:
{"default_driver_version":"7.2.0+driver","driver_api_version":"8.0.0","driver_schema_version":"2.0.0","engine_version":"40","engine_version_semver":"0.40.0","falco_version":"0.38.1","libs_version":"0.17.2","plugin_api_version":"3.6.0"}
  • System info:

$ falco --support | jq .system_info
{
"machine": "x86_64",
"nodename": "dddd.net",
"release": "4.18.0-553.8.1.el8_10.x86_64",
"sysname": "Linux",
"version": "#1 SMP Fri Jun 14 03:19:37 EDT 2024"
}

  • OS: RHEL8.10
  • Kernel:
  • Installation method:
    RPM
    Additional context
@fbs
Copy link

fbs commented Jul 18, 2024

I did some more testing to minimize the reproducer:


- macro: exclude_commands
  condition: x
"a"
LOAD_ERR_YAML_VALIDATE (Error validating internal structure of YAML file): Rules content is not yaml

- macro: exclude_commands
  condition: x
"a"
LOAD_ERR_YAML_VALIDATE (Error validating internal structure of YAML file): Rules content is not yaml

- macro: exclude_commands
  condition: x
a,
LOAD_ERR_YAML_VALIDATE (Error validating internal structure of YAML file): Rules content is not yaml

- macro: exclude_commands
  condition: x
"a",
Thu Jul 18 20:28:39 2024: Loading rules from file /etc/falco/falco_rules.yaml
Thu Jul 18 20:28:39 2024: Loading rules from file /etc/falco/falco_rules.local.yaml
... OOM

@MprBol
Copy link
Author

MprBol commented Jul 29, 2024

Hi this bug could cause critical impact on a server landscape. Can someone confirm/have a look at this report? Thank you!

@sgaist
Copy link
Contributor

sgaist commented Jul 29, 2024

Hi,

Thanks for the report !

Some questions to help debug:

  • How are you starting falco ? (manually, automatically ?)
  • What parameters are you using ?

I just tested with a fresh build of the latest code and it properly fails when loading when called from the command line.
On your side, does it also get OOM killed if started manually ?

@MprBol
Copy link
Author

MprBol commented Jul 29, 2024

hi @sgaist , thank you for replying!

Just simply starting falco --dry-run manually also triggers this mistake.

When you tried reproducing it, did you place

- macro: exclude_commands
  condition:
    (user.uid = 1001 and user.loginuid in (-1, 1001) and proc.exepath = "/usr/bin/script" and proc.args in (
"/usr/local/bin/script_metrics.sh",
    "-c rsync"
    )  )

in your rules.d directory? Including the wrongly aligned spacing for "/usr/local/bin/script_metrics.sh", ? It must be in this incorrect yaml to trigger this bug.

@LucaGuerra
Copy link
Contributor

/milestone 0.39.0

@poiana poiana added this to the 0.39.0 milestone Jul 31, 2024
@sgaist
Copy link
Contributor

sgaist commented Jul 31, 2024

It looks like there was something wrong with my checkout and I was able to reproduce the issue.

@FedeDP
Copy link
Contributor

FedeDP commented Sep 9, 2024

It seems a yaml-cpp bug to me; did anyone report it to them?

@fbs
Copy link

fbs commented Sep 9, 2024

Yes, it has been reported but not resolution yet

@FedeDP
Copy link
Contributor

FedeDP commented Sep 11, 2024

So, i was trying to reproduce this with a small example using just yaml-cpp but i could not.
I will try to understand whether this is actually a Falco bug.

@FedeDP
Copy link
Contributor

FedeDP commented Sep 11, 2024

Oh i was wrong, the bug lies in YAML::LoadAll(std::string input) method from yaml-cpp; this example reproduces the bug without Falco involved:

#include <yaml-cpp/yaml.h>
#include <iostream>

int main() {
    static const std::string yml = R"(
- macro: exclude_commands
  condition:
    (user.uid = 1001 and user.loginuid in (-1, 1001) and proc.exepath = "/usr/bin/script" and proc.args in (
"/usr/local/bin/script_metrics.sh",
    "-c rsync"
    )  )  
    )";
    try {
	auto config = YAML::LoadAll(yml);
    } catch(const YAML::BadFile& e) {
        std::cerr << e.msg << std::endl;
        return 1;
    } catch(const YAML::ParserException& e) {
        std::cerr << e.msg << std::endl;
        return 1;
    }
    return 0;
}

@fbs can you share the upstream bug link? I will add this detailed info ;)

@FedeDP
Copy link
Contributor

FedeDP commented Sep 12, 2024

Opened 2 upstream PRs:

@FedeDP
Copy link
Contributor

FedeDP commented Sep 24, 2024

Waiting for upstream to merge last PR (jbeder/yaml-cpp#1319) and eventually tag a new yaml-cpp release before updating.
These fixes won't end up in the 0.39.0 Falco release, since we haven't got much time left.

/milestone 0.40.0

@MprBol
Copy link
Author

MprBol commented Jan 2, 2025

thanks @FedeDP !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging a pull request may close this issue.

6 participants