-
Notifications
You must be signed in to change notification settings - Fork 910
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Falco hogs all memory and crashes server upon invalid yaml #3281
Comments
I did some more testing to minimize the reproducer:
|
Hi this bug could cause critical impact on a server landscape. Can someone confirm/have a look at this report? Thank you! |
Hi, Thanks for the report ! Some questions to help debug:
I just tested with a fresh build of the latest code and it properly fails when loading when called from the command line. |
hi @sgaist , thank you for replying! Just simply starting When you tried reproducing it, did you place
in your rules.d directory? Including the wrongly aligned spacing for |
/milestone 0.39.0 |
It looks like there was something wrong with my checkout and I was able to reproduce the issue. |
It seems a yaml-cpp bug to me; did anyone report it to them? |
Yes, it has been reported but not resolution yet |
So, i was trying to reproduce this with a small example using just yaml-cpp but i could not. |
Oh i was wrong, the bug lies in
@fbs can you share the upstream bug link? I will add this detailed info ;) |
Opened 2 upstream PRs:
|
Waiting for upstream to merge last PR (jbeder/yaml-cpp#1319) and eventually tag a new yaml-cpp release before updating. /milestone 0.40.0 |
thanks @FedeDP ! |
Describe the bug
Upon invalid yaml, the falco process may hog all available memory by calling brk() -- resulting in unresponsive server due to all memory+swap+cpu being used by the falco process.
How to reproduce it
Create the following macro
(Note the indentation error in the yaml above)
And start falco
Expected behaviour
Falco to error with the invalid yaml
Screenshots
Environment
$ falco --support | jq .system_info
{
"machine": "x86_64",
"nodename": "dddd.net",
"release": "4.18.0-553.8.1.el8_10.x86_64",
"sysname": "Linux",
"version": "#1 SMP Fri Jun 14 03:19:37 EDT 2024"
}
RPM
Additional context
The text was updated successfully, but these errors were encountered: