Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Write to outer map fails due to no wrap around of version in snapshot #4019

Closed
subkin13 opened this issue May 5, 2024 · 4 comments
Closed

Write to outer map fails due to no wrap around of version in snapshot #4019

subkin13 opened this issue May 5, 2024 · 4 comments
Assignees
@geyslan
Labels
kind/bug
Milestone
v0.22.0

Comments

@subkin13
Copy link

subkin13 commented May 5, 2024
edited

The code in func (s *snapshots) Store(ps *Policies) does not wrap s.lastVersion when it reaches maxSnapshots which eventually causes failure when writing to an outer map - see func (ps *Policies) createNewFilterMapsVersion(bpfModule *bpf.Module) error

Also the following code sets the minimal version to 1, it is never zero, so there is never write to cell #0 in the outer map. Is that on purpose?

s.lastVersion++ // new version
if s.lastVersion >= uint16(MaxPolicies) {
     logger.Warnw("Policies version has wrapped around, resetting to 1")
     s.lastVersion++
}

Also - prune func(*Policies) []error is not initialized so the inner maps are never closed which will eventually cause fd leak
@yanivagman
Copy link
Collaborator

@subkin13 thanks for reporting,
@geyslan can you have a look?

@subkin13
Copy link
Author

subkin13 commented May 7, 2024

also:

  1. in createNewInnerMap - GetBTFFDByID creates another fd for the process, you should close it before exiting the function
  2. in createNewFilterMapsVersion - if the call to updateOuterMap fails you should close the newInnerMap fd

@yanivagman yanivagman added this to the v0.22.0 milestone May 9, 2024
@geyslan
Copy link
Member

geyslan commented May 17, 2024
edited

Hi @subkin13, thanks for bringing us your findings.

The code in func (s *snapshots) Store(ps *Policies) does not wrap s.lastVersion when it reaches maxSnapshots...

The Snapshots is a circular buffer of size maxSnapshots. This check

tracee/pkg/policy/snapshots.go

Lines 75 to 79 in a458fa9

s.lastVersion++ // new version
if s.lastVersion == 0 {
logger.Warnw("Policies version has wrapped around, resetting to 1")
s.lastVersion++
}

is only to deal with uint wrap around.

The version can and should be increased to the holder's limit, as it communicates the version number of these policies, even if we only have maxSnaphosts at a time. So for this I don't see any problem.

Also - prune func(*Policies) []error is not initialized so the inner maps are never closed which will eventually cause fd leak

This is true. I was tackling it in currently closed PRs. That will be solved soon.

i.e.: https://github.com/aquasecurity/tracee/pull/3912/files#diff-aab7c4298207977c2b1b634dfc0fc67eb9004e74324ab1c0df0306869d1714b5R607-R609

image

in createNewInnerMap - GetBTFFDByID creates another fd for the process, you should close it before exiting the function

I suppose you're right. I need to check if after the map creation the BTFFD is not required anymore. Let's deal with it in upcoming efforts. Thanks!

in createNewFilterMapsVersion - if the call to updateOuterMap fails you should close the newInnerMap fd

This is also true and was being tackled on the referred PR.

Gonna close this and update #3239.

Thanks a million.

@geyslan geyslan mentioned this issue May 17, 2024
Open
19 tasks
@geyslan
Copy link
Member

geyslan commented May 17, 2024

#3239 updated with findings.

@geyslan geyslan closed this as completed May 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@geyslan geyslan

Labels
kind/bug
Projects
None yet
Milestone
v0.22.0
Development

No branches or pull requests
3 participants
@geyslan @yanivagman @subkin13