-
Notifications
You must be signed in to change notification settings - Fork 168
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(userspace/libsinsp): keep event thread after execve #2212
fix(userspace/libsinsp): keep event thread after execve #2212
Conversation
4b592d7
to
3beda1a
Compare
Perf diff from master - unit tests
Heap diff from master - unit tests
Heap diff from master - scap file
Benchmarks diff from master
|
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #2212 +/- ##
=======================================
Coverage 75.42% 75.43%
=======================================
Files 265 265
Lines 34048 34044 -4
Branches 5803 5801 -2
=======================================
- Hits 25681 25680 -1
+ Misses 8367 8364 -3
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
3beda1a
to
b07ae70
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, great fix!
/approve
LGTM label has been added. Git tree hash: ba32ab7aa14c9782719acd3037e5b4e78fc68c8d
|
/milestone 0.20.0 |
Thank you @erthalion! I updated the PR body to be compliant with our semantic commit message (otherwise it can't be parsed by the release workflow :D )! |
userspace/libsinsp/parsers.cpp
Outdated
* | ||
* Also make sure the thread to be removed is not the one | ||
* associated with the event. Under normal conditions this | ||
* should not happen, since the kernel will reassing tid before |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
* should not happen, since the kernel will reassing tid before | |
* should not happen, since the kernel will reassign tid before |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(sorry about the suggestion for a typo in comment but it sounded bad 😅)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks! In fact, I think the word with typo perfectly describes what kernel does, when the tid doesn't change :)
Currently when a thread from a thread group is doing execve, we expect that the kernel will reassign its tid at the end to the group leader, and simulate this behavior in the parser accordingly. The final result is all the threads in the thread group, except the leader, are removed from the cache. But looks like under certain circumstances it's possible to end up in a situation when the kernel is not doing the reassignment, yet the syscall ends successfully. This leads to a crash, since the parser removes the thread associated with the execve_x event, which will be accessed later during post processing -- and everything is expose in use-after-free. It's hard to reproduce artificially, but there are crash reports from the field, demonstrating the problem and confirming the patch fixes the crash. So far the issue was discovered only on ppc64le (Power10 to be more precise). To handle this, keep the event thread in place. Note, that tid here comes from the BPF probe directly, where it's captured via bpf_get_current_task/_btf. This means that the tid is the one really reported by the kernel, so keeping it represents the current state precisely. Signed-off-by: Dmitrii Dolgov <[email protected]>
b07ae70
to
52b88b0
Compare
Thanks, @FedeDP ! There was one silly typo I've fixed, so I'm afraid the PR needs another lgtm. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/approve
LGTM label has been added. Git tree hash: 0aeb9047510577ac29e412dc741ff40db8d209c9
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/approve
Great catch, it sounds like a bug in ppc64le kernel since this should never happen :/
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Andreagit97, erthalion, FedeDP The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
It might be. I'm planning to investigate it a bit more, just in case if we're missing something about the kernel behavior on this platform. |
What type of PR is this?
/kind bug
Any specific area of the project related to this PR?
/area libsinsp
Does this PR require a change in the driver versions?
What this PR does / why we need it:
Currently when a thread from a thread group is doing execve, we expect that the kernel will reassign its tid at the end to the group leader, and simulate this behavior in the parser accordingly. The final result is all the threads in the thread group, except the leader, are removed from the cache.
But looks like under certain circumstances it's possible to end up in a situation when the kernel is not doing the reassignment, yet the syscall ends successfully. This leads to a crash, since the parser removes the thread associated with the execve_x event, which will be accessed later during post processing -- and everything is explode in use-after-free. It's hard to reproduce artificially, but there are crash reports from the field, demonstrating the problem and confirming the patch fixes the crash. So far the issue was discovered only on ppc64le (Power10 to be more precise).
To handle this, keep the event thread in place. Note, that tid here comes from the BPF probe directly, where it's captured via bpf_get_current_task/_btf. This means that the tid is the one really reported by the kernel, so keeping it represents the current state precisely.
Special notes for your reviewer:
Does this PR introduce a user-facing change?: