Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(userspace/libsinsp): keep event thread after execve #2212

Merged

Conversation

erthalion
Copy link
Contributor

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind bug

/kind cleanup

/kind design

/kind documentation

/kind failing-test

/kind feature

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area API-version

/area build

/area CI

/area driver-kmod

/area driver-bpf

/area driver-modern-bpf

/area libscap-engine-bpf

/area libscap-engine-gvisor

/area libscap-engine-kmod

/area libscap-engine-modern-bpf

/area libscap-engine-nodriver

/area libscap-engine-noop

/area libscap-engine-source-plugin

/area libscap-engine-savefile

/area libscap

/area libpman

/area libsinsp

/area tests

/area proposals

Does this PR require a change in the driver versions?

/version driver-API-version-major

/version driver-API-version-minor

/version driver-API-version-patch

/version driver-SCHEMA-version-major

/version driver-SCHEMA-version-minor

/version driver-SCHEMA-version-patch

What this PR does / why we need it:

Currently when a thread from a thread group is doing execve, we expect that the kernel will reassign its tid at the end to the group leader, and simulate this behavior in the parser accordingly. The final result is all the threads in the thread group, except the leader, are removed from the cache.

But looks like under certain circumstances it's possible to end up in a situation when the kernel is not doing the reassignment, yet the syscall ends successfully. This leads to a crash, since the parser removes the thread associated with the execve_x event, which will be accessed later during post processing -- and everything is explode in use-after-free. It's hard to reproduce artificially, but there are crash reports from the field, demonstrating the problem and confirming the patch fixes the crash. So far the issue was discovered only on ppc64le (Power10 to be more precise).

To handle this, keep the event thread in place. Note, that tid here comes from the BPF probe directly, where it's captured via bpf_get_current_task/_btf. This means that the tid is the one really reported by the kernel, so keeping it represents the current state precisely.

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

NONE

Copy link

github-actions bot commented Dec 20, 2024

Perf diff from master - unit tests

     3.29%     -0.67%  [.] sinsp_thread_manager::find_thread
     8.04%     +0.53%  [.] sinsp_evt::get_type
    11.04%     -0.52%  [.] sinsp::next
     1.59%     +0.43%  [.] scap_event_decode_params
     5.84%     +0.43%  [.] next_event_from_file
     2.92%     -0.37%  [.] is_conversion_needed
    10.25%     +0.36%  [.] sinsp_parser::reset
     2.08%     -0.29%  [.] std::_Hashtable<long, std::pair<long const, std::shared_ptr<sinsp_threadinfo> >, std::allocator<std::pair<long const, std::shared_ptr<sinsp_threadinfo> > >, std::__detail::_Select1st, std::equal_to<long>, std::hash<long>, std::__detail::_Mod_range_hashing, std::__detail::_Default_ranged_hash, std::__detail::_Prime_rehash_policy, std::__detail::_Hashtable_traits<false, false, true> >::_M_find_before_node
     1.52%     -0.23%  [.] libsinsp::sinsp_suppress::process_event
     0.78%     -0.22%  [.] libsinsp::events::is_unknown_event

Heap diff from master - unit tests

peak heap memory consumption: 0B
peak RSS (including heaptrack overhead): 0B
total memory leaked: 0B

Heap diff from master - scap file

peak heap memory consumption: 0B
peak RSS (including heaptrack overhead): 0B
total memory leaked: 0B

Benchmarks diff from master

Comparing gbench_data.json to /root/actions-runner/_work/libs/libs/build/gbench_data.json
Benchmark                                                         Time             CPU      Time Old      Time New       CPU Old       CPU New
----------------------------------------------------------------------------------------------------------------------------------------------
BM_sinsp_split_mean                                            +0.0280         +0.0280           146           150           146           150
BM_sinsp_split_median                                          +0.0265         +0.0265           146           150           146           150
BM_sinsp_split_stddev                                          +0.3178         +0.3189             1             1             1             1
BM_sinsp_split_cv                                              +0.2819         +0.2830             0             0             0             0
BM_sinsp_concatenate_paths_relative_path_mean                  +0.0936         +0.0936            55            61            55            61
BM_sinsp_concatenate_paths_relative_path_median                +0.0914         +0.0914            56            61            56            61
BM_sinsp_concatenate_paths_relative_path_stddev                -0.6214         -0.6215             0             0             0             0
BM_sinsp_concatenate_paths_relative_path_cv                    -0.6538         -0.6539             0             0             0             0
BM_sinsp_concatenate_paths_empty_path_mean                     +0.0165         +0.0165            23            24            23            24
BM_sinsp_concatenate_paths_empty_path_median                   +0.0164         +0.0164            23            24            23            24
BM_sinsp_concatenate_paths_empty_path_stddev                   -0.0398         -0.0360             0             0             0             0
BM_sinsp_concatenate_paths_empty_path_cv                       -0.0554         -0.0516             0             0             0             0
BM_sinsp_concatenate_paths_absolute_path_mean                  +0.1264         +0.1264            56            63            56            63
BM_sinsp_concatenate_paths_absolute_path_median                +0.1247         +0.1247            56            63            56            63
BM_sinsp_concatenate_paths_absolute_path_stddev                -0.7981         -0.7993             1             0             1             0
BM_sinsp_concatenate_paths_absolute_path_cv                    -0.8208         -0.8218             0             0             0             0
BM_sinsp_split_container_image_mean                            +0.0129         +0.0129           390           395           390           395
BM_sinsp_split_container_image_median                          +0.0107         +0.0107           390           395           390           395
BM_sinsp_split_container_image_stddev                          +0.4410         +0.4422             3             4             3             4
BM_sinsp_split_container_image_cv                              +0.4227         +0.4238             0             0             0             0

Copy link

codecov bot commented Dec 20, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 75.43%. Comparing base (5b95bc8) to head (52b88b0).
Report is 5 commits behind head on master.

Additional details and impacted files
@@           Coverage Diff           @@
##           master    #2212   +/-   ##
=======================================
  Coverage   75.42%   75.43%           
=======================================
  Files         265      265           
  Lines       34048    34044    -4     
  Branches     5803     5801    -2     
=======================================
- Hits        25681    25680    -1     
+ Misses       8367     8364    -3     
Flag Coverage Δ
libsinsp 75.43% <100.00%> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@erthalion erthalion force-pushed the fix/keep-event-thread-on-exec branch from 3beda1a to b07ae70 Compare December 20, 2024 14:24
FedeDP
FedeDP previously approved these changes Dec 20, 2024
Copy link
Contributor

@FedeDP FedeDP left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, great fix!
/approve

@poiana
Copy link
Contributor

poiana commented Dec 20, 2024

LGTM label has been added.

Git tree hash: ba32ab7aa14c9782719acd3037e5b4e78fc68c8d

@FedeDP
Copy link
Contributor

FedeDP commented Dec 20, 2024

/milestone 0.20.0

@poiana poiana added this to the 0.20.0 milestone Dec 20, 2024
@FedeDP FedeDP changed the title Keep event thread after execve fix(userspace/libsinsp): keep event thread after execve Dec 20, 2024
@FedeDP
Copy link
Contributor

FedeDP commented Dec 20, 2024

Thank you @erthalion! I updated the PR body to be compliant with our semantic commit message (otherwise it can't be parsed by the release workflow :D )!

*
* Also make sure the thread to be removed is not the one
* associated with the event. Under normal conditions this
* should not happen, since the kernel will reassing tid before
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
* should not happen, since the kernel will reassing tid before
* should not happen, since the kernel will reassign tid before

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(sorry about the suggestion for a typo in comment but it sounded bad 😅)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! In fact, I think the word with typo perfectly describes what kernel does, when the tid doesn't change :)

Currently when a thread from a thread group is doing execve, we expect
that the kernel will reassign its tid at the end to the group leader,
and simulate this behavior in the parser accordingly. The final result
is all the threads in the thread group, except the leader, are removed
from the cache.

But looks like under certain circumstances it's possible to end up in a
situation when the kernel is not doing the reassignment, yet the syscall
ends successfully. This leads to a crash, since the parser removes the
thread associated with the execve_x event, which will be accessed later
during post processing -- and everything is expose in use-after-free.
It's hard to reproduce artificially, but there are crash reports from
the field, demonstrating the problem and confirming the patch fixes the
crash. So far the issue was discovered only on ppc64le (Power10 to be
more precise).

To handle this, keep the event thread in place. Note, that tid here
comes from the BPF probe directly, where it's captured via
bpf_get_current_task/_btf. This means that the tid is the one really
reported by the kernel, so keeping it represents the current state
precisely.

Signed-off-by: Dmitrii Dolgov <[email protected]>
@poiana poiana requested a review from FedeDP December 20, 2024 16:15
@erthalion
Copy link
Contributor Author

Thank you @erthalion! I updated the PR body to be compliant with our semantic commit message (otherwise it can't be parsed by the release workflow :D )!

Thanks, @FedeDP ! There was one silly typo I've fixed, so I'm afraid the PR needs another lgtm.

Copy link
Contributor

@FedeDP FedeDP left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve

@poiana poiana added the lgtm label Dec 20, 2024
@poiana
Copy link
Contributor

poiana commented Dec 20, 2024

LGTM label has been added.

Git tree hash: 0aeb9047510577ac29e412dc741ff40db8d209c9

Copy link
Member

@Andreagit97 Andreagit97 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve
Great catch, it sounds like a bug in ppc64le kernel since this should never happen :/

@poiana
Copy link
Contributor

poiana commented Dec 30, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Andreagit97, erthalion, FedeDP

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@poiana poiana merged commit 615ecfb into falcosecurity:master Dec 30, 2024
47 of 49 checks passed
@erthalion
Copy link
Contributor Author

it sounds like a bug in ppc64le kernel since this should never happen :/

It might be. I'm planning to investigate it a bit more, just in case if we're missing something about the kernel behavior on this platform.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants