Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Socket dataset: Workaround for bogus dereference in kernel 5.x #15771

Merged
merged 4 commits into from
Jan 23, 2020

Conversation

adriansr
Copy link
Contributor

@adriansr adriansr commented Jan 23, 2020

This is a tentative workaround for the problems in Auditbeat's system/socket dataset when run under 5.x kernels.

On older kernels, we could rely on dereferencing a NULL or invalid pointer returning zeroed memory. However, seems that in the tested 5.x kernels is not the case. Dereferencing a NULL pointer returns bogus memory, which causes some wrong codepaths to be taken in a couple of
kprobes defined by the dataset.

This so far seems only to affect udp_sendmsg and udpv6_sendmsg, which caused it to attribute traffic to bogus IP addresses. In turn this caused the test-connected-udp system tests to fail.


In parallel I'm trying to find the reason for this different behavior and ideally have the tracing subsystem behave like in previous versions, so this patch is not needed.

This is a tentative workaround for the problems in Auditbeat's
system/socket dataset when run under 5.x kernels.

On older kernels, we could rely on dereferencing a NULL or invalid
pointer returning zeroed memory. However, seems that in the tested 5.x
kernels is not the case. Dereferencing a NULL pointer returns bogus
memory, which causes some wrong codepaths to be taken in a couple of
kprobes defined by the dataset.

This so far seems only to affect udp_sendmsg and udpv6_sendmsg, which
caused it to attribute traffic to bogus IP addresses. In turn this
caused the test-connected-udp system tests to fail.
@adriansr adriansr added bug review needs_backport PR is waiting to be backported to other branches. Team:SIEM labels Jan 23, 2020
@adriansr adriansr requested a review from a team as a code owner January 23, 2020 12:07
@elasticmachine
Copy link
Collaborator

Pinging @elastic/siem (Team:SIEM)

Copy link
Member

@andrewkroh andrewkroh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you please add a changelog too.

"github.com/elastic/beats/x-pack/auditbeat/tracing"
)

/*
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Empty comment block.

@jsoriano jsoriano mentioned this pull request Jan 23, 2020
63 tasks
@adriansr adriansr merged commit 0dab517 into elastic:master Jan 23, 2020
@adriansr adriansr added v7.7.0 and removed needs_backport PR is waiting to be backported to other branches. labels Jan 23, 2020
adriansr added a commit to adriansr/beats that referenced this pull request Jan 23, 2020
…ic#15771)

This is a tentative workaround for the problems in Auditbeat's
system/socket dataset when run under 5.x kernels.

On older kernels, we could rely on dereferencing a NULL or invalid
pointer returning zeroed memory. However, seems that in the tested 5.x
kernels is not the case. Dereferencing a NULL pointer returns bogus
memory, which causes some wrong codepaths to be taken in a couple of
kprobes defined by the dataset.

This so far seems only to affect udp_sendmsg and udpv6_sendmsg, which
caused it to attribute traffic to bogus IP addresses. In turn this
caused the test-connected-udp system tests to fail.

(cherry picked from commit 0dab517)
adriansr added a commit to adriansr/beats that referenced this pull request Jan 23, 2020
…ic#15771)

This is a tentative workaround for the problems in Auditbeat's
system/socket dataset when run under 5.x kernels.

On older kernels, we could rely on dereferencing a NULL or invalid
pointer returning zeroed memory. However, seems that in the tested 5.x
kernels is not the case. Dereferencing a NULL pointer returns bogus
memory, which causes some wrong codepaths to be taken in a couple of
kprobes defined by the dataset.

This so far seems only to affect udp_sendmsg and udpv6_sendmsg, which
caused it to attribute traffic to bogus IP addresses. In turn this
caused the test-connected-udp system tests to fail.

(cherry picked from commit 0dab517)
adriansr added a commit to adriansr/beats that referenced this pull request Jan 25, 2020
…ic#15771)

This is a tentative workaround for the problems in Auditbeat's
system/socket dataset when run under 5.x kernels.

On older kernels, we could rely on dereferencing a NULL or invalid
pointer returning zeroed memory. However, seems that in the tested 5.x
kernels is not the case. Dereferencing a NULL pointer returns bogus
memory, which causes some wrong codepaths to be taken in a couple of
kprobes defined by the dataset.

This so far seems only to affect udp_sendmsg and udpv6_sendmsg, which
caused it to attribute traffic to bogus IP addresses. In turn this
caused the test-connected-udp system tests to fail.

(cherry picked from commit 0dab517)
adriansr added a commit that referenced this pull request Jan 25, 2020
…erence in kernel 5.x (#15792)

This is a tentative workaround for the problems in Auditbeat's
system/socket dataset when run under 5.x kernels.

On older kernels, we could rely on dereferencing a NULL or invalid
pointer returning zeroed memory. However, seems that in the tested 5.x
kernels is not the case. Dereferencing a NULL pointer returns bogus
memory, which causes some wrong codepaths to be taken in a couple of
kprobes defined by the dataset.

This so far seems only to affect udp_sendmsg and udpv6_sendmsg, which
caused it to attribute traffic to bogus IP addresses. In turn this
caused the test-connected-udp system tests to fail.

(cherry picked from commit 0dab517)
adriansr added a commit that referenced this pull request Jan 25, 2020
… (#15791)

This is a tentative workaround for the problems in Auditbeat's
system/socket dataset when run under 5.x kernels.

On older kernels, we could rely on dereferencing a NULL or invalid
pointer returning zeroed memory. However, seems that in the tested 5.x
kernels is not the case. Dereferencing a NULL pointer returns bogus
memory, which causes some wrong codepaths to be taken in a couple of
kprobes defined by the dataset.

This so far seems only to affect udp_sendmsg and udpv6_sendmsg, which
caused it to attribute traffic to bogus IP addresses. In turn this
caused the test-connected-udp system tests to fail.

(cherry picked from commit 0dab517)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants