disable (process) ebpf events when to many errors

if an invalid opensnitch-procs.o module was loaded, we were flooding the log with errors. In these cases stop processing events after 20 errors (random, we should have no errors). This may occur if the module is malformed (valid .o ebpf module but different structs, etc), or when loading modules from other versions. (cherry picked from commit 0a911ef)
evilsocket · Jun 12, 2024 · 8895d6f · 8895d6f
1 parent 362c0da
commit 8895d6f
Showing 1 changed file with 17 additions and 1 deletion.
diff --git a/daemon/procmon/ebpf/events.go b/daemon/procmon/ebpf/events.go
@@ -151,6 +151,18 @@ func initPerfMap(mod *elf.Module) {
 
 func streamEventsWorker(id int, chn chan []byte, lost chan uint64, kernelEvents chan interface{}, execEvents *eventsStore) {
 	var event execEvent
+	errors := 0
+	maxErrors := 20 // we should have no errors.
+	tooManyErrors := func() bool {
+		errors++
+		if errors > maxErrors {
+			log.Error("[eBPF events] too many errors parsing events from kernel")
+			log.Error("verify that you're using the correct eBPF modules for this version (%s)", core.Version)
+			return true
+		}
+		return false
+	}
+
 	for {
 		select {
 		case <-ctxTasks.Done():
@@ -159,7 +171,11 @@ func streamEventsWorker(id int, chn chan []byte, lost chan uint64, kernelEvents
 			log.Debug("Lost ebpf events: %d", l)
 		case d := <-chn:
 			if err := binary.Read(bytes.NewBuffer(d), hostByteOrder, &event); err != nil {
-				log.Error("[eBPF events #%d] error: %s", id, err)
+				log.Debug("[eBPF events #%d] error: %s", id, err)
+				if tooManyErrors() {
+					goto Exit
+				}
+
 			} else {
 				switch event.Type {
 				case EV_TYPE_EXEC, EV_TYPE_EXECVEAT: