fix(modern): try to address a page fault caused by bpf_probe_read_kernel
#1858
Conversation
poiana
added
release-note-none
kind/bug
|
Please double check driver/SCHEMA_VERSION file. See versioning. /hold |
| @@ -16,31 +16,6 @@ | |||
| #include <bpf/bpf_core_read.h> | |||
| #include <bpf/bpf_tracing.h> | |||
|
|
|||
| /*=============================== LIBBPF MISSING TRACING DEFINITION ===========================*/ | |||
There was a problem hiding this comment.
now we use libbpf 1.3 so this macro shouldn't be necessary
Andreagit97
changed the title
bpf_probe_read_kernel
Now we use libbpf 1.3.0 and this definition is already included Signed-off-by: Andrea Terzolo <[email protected]>
Signed-off-by: Andrea Terzolo <[email protected]>
Andreagit97
force-pushed
the
fix_kernel_fault_vsyscall
branch
from
55be08d
to
81068b8
Compare
|
just rebased |
|
LGTM label has been added. Git tree hash: 92d2a6090d2f315190d633a33e9a9b2a7ee754ec
|
Andreagit97
force-pushed
the
fix_kernel_fault_vsyscall
branch
from
2adc6a0
to
5a013f8
Compare
|
ARM64
X86
There is an issue with the modern centos-4.18 modern-bpf_scap-openMsg: Err: My guess is that when we read in userspace the value we read a cached value and not the update one, i will try to understand if there is a better way to do that |
|
/hold |
Signed-off-by: Andrea Terzolo <[email protected]>
Andreagit97
force-pushed
the
fix_kernel_fault_vsyscall
branch
from
5a013f8
to
a5d1950
Compare
| @@ -76,6 +81,16 @@ static __always_inline void maps__set_is_dropping(bool value) | |||
| is_dropping = value; | |||
| } | |||
|
|
|||
| static __always_inline void* maps__get_socket_file_ops() | |||
There was a problem hiding this comment.
now this info is only in kernel space
| struct file_operations *f_op = (struct file_operations *)BPF_CORE_READ(f, f_op); | ||
| maps__set_socket_file_ops((void*)f_op); | ||
| /* we need to rewrite the event header */ | ||
| ringbuf__rewrite_header_for_calibration(&ringbuf, vpid); |
There was a problem hiding this comment.
instead of using additional variables we can simply use our event to communicate something to userspace
| /* BPF side we send this special event with nparams = 0 */ | ||
| if(pevent->nparams == 0) | ||
| { | ||
| /* We don't want to stop here because we want to clean all the buffers. */ |
There was a problem hiding this comment.
we clean all the buffers so we will restart the capture in a clean state
| return SCAP_FAILURE; | ||
| } | ||
|
|
||
| /* Store interesting sc codes */ |
There was a problem hiding this comment.
moved after the calibration so we will clear the curr_sc_set
|
Started again kernel tests: https://github.com/falcosecurity/libs/actions/runs/9031308494 |
|
LGTM label has been added. Git tree hash: dc490e221b332b1632f148fb0702b7b422432078
|
|
Uh still a failure case on centos:
|
I tried it locally but i cannot reproduce the issue :/ |
Signed-off-by: Andrea Terzolo <[email protected]>
|
LGTM label has been added. Git tree hash: 49ed1c193622e6b57f9f335ffc427a0d4cdc5c9d
|
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Andreagit97, FedeDP, incertum, leogr The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/unhold |
What type of PR is this?
/kind bug
Any specific area of the project related to this PR?
/area driver-modern-bpf
Does this PR require a change in the driver versions?
What this PR does / why we need it:
We recently saw some issues with modern_ebpf driver -> falcosecurity/falco#3181.
Analyzing the call trace it seems the issue is related to the
accept4_xfiller.We can see that the culprit is
bpf_probe_read_kernelhelper... but we are in ebpf so a page fault should never happen...Indeed it turns out there is a bug on x86 machines when trying to use
copy_from_kernel_nofault()to read vsyscall pagethrough a bpf program -> https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=32019c659ec
And looking at the address that causes the page fault, we can notice that this is a
VSYSCALLaddressThe question now is, why are we reading from a vsyscall address? We are inside an
accept4this doesn't make so much sense...My guess here is that due to some race conditions, we can read a random address from
extract__file_struct_from_fdand then we try to cast this address to a socket and do somebpf_probe_read_kernel.All the code added in this PR is an extra safe check that we already have in the legacy ebpf probe. We initially avoided it in the modern probe as a performance optimization because without this "vsyscall address" bug the probe should never cause an unhandled page fault at runtime... Unfortunately, this bug is fixed only in kernel version >= 6.8 so we need a workaround to handle this situation.
This check indeed introduces a little bit of overhead but it's also true that should guarantee more reliable information since we explicitly check that we are a socket before performing some extra
bpf_probe_read_kernel, so in any case, these changes can be seen as an improvement in consistency.Please note that this is just an assumption, the call trace seems to be compatible with this analysis but the page fault could still be there... in that case, we should apply more strict checks on our
bpf_probe_read_kernelchecking that the address is different from aVSYSCALLaddress.Which issue(s) this PR fixes:
ref falcosecurity/falco#3181
Special notes for your reviewer:
Does this PR introduce a user-facing change?: