bpf: bump prepend_name underlying buffer size 4096 #2764
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
mtardy
added
area/bpf
✅ Deploy Preview for tetragon ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
mtardy
force-pushed
the
pr/mtardy/fix-mb-prefix
branch
2 times, most recently
from
5d77188 to
d6b22ce
Compare
|
cc @anfedotoff |
mtardy
force-pushed
the
pr/mtardy/fix-mb-prefix
branch
4 times, most recently
from
3c37657 to
d5ad471
Compare
kevsecurity
requested changes
Aug 5, 2024
mtardy
added a commit
to cilium/little-vm-helper-images
that referenced
this pull request
Aug 5, 2024
I bumped into a bug when testing cilium/tetragon#2764 with the current rhel8 kernel and it was later fixed. Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>
mtardy
added a commit
to cilium/little-vm-helper-images
that referenced
this pull request
Aug 5, 2024
I bumped into a bug when testing cilium/tetragon#2764 with the current rhel8 kernel and it was later fixed. Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>
|
I bumped into a rhel8 (rocky 8.6) bug, let's bump to a newer 8.9 that is fixed cilium/little-vm-helper-images#612. |
mtardy
force-pushed
the
pr/mtardy/fix-mb-prefix
branch
from
d5ad471 to
4636210
Compare
mtardy
force-pushed
the
pr/mtardy/fix-mb-prefix
branch
from
4636210 to
5a7165f
Compare
|
CI looks pretty red ❓ |
oh boy I just rebased and made the tiny change and indeed it seems everything is broken |
mtardy
force-pushed
the
pr/mtardy/fix-mb-prefix
branch
from
5a7165f to
6ffb5cd
Compare
kevsecurity
reviewed
Aug 6, 2024
mtardy
force-pushed
the
pr/mtardy/fix-mb-prefix
branch
from
6ffb5cd to
f795fab
Compare
|
I think you need |
We need this because when reading exe for large path (>256) we ended up having only part of the end (since we walk the dentry from end to start) and thus the prefix match wasn't working. We still don't need to keep the whole path, but it needs to be correct. Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>
Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>
Adding test that has Prefix operator in matchBinaries selector. The file path of the test binary (true) being executed is larger than 256 bytes: it should be around 3900 chars. Co-authored-by: Mahe Tardy <mahe.tardy@gmail.com> Signed-off-by: Andrei Fedotov <anfedotoff@yandex-team.ru>
mtardy
force-pushed
the
pr/mtardy/fix-mb-prefix
branch
from
f795fab to
e73a0a0
Compare
A kernel bug fails to trigger the BPF program hooked on a tracepoint if
the binary name passed as parameter is long enough, you can trigger it
with a long path, using mtardy/pathgen for example and bpftrace:
bpftrace -e 'tracepoint:sched:sched_process_exec { printf("execute\n"); }'
Under rhel8.6, if the path is long enough (>3000 for example), the BPF
prog will not be triggered.
Signed-off-by: Mahe Tardy <mahe.tardy@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes #2758
Description
The matchBinaries Prefix operator fails to match a path longer than 256 chars because of the way we read the binary path. We use the exe of the process and walk the dentry from end to beginning. Thus if the path is too long, the buffer contains an incorrect start.
Changelog