fix(userspace/libsinsp): fixed possible buffer overflow in `sinsp_plu… #6000
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI Build | |
on: | |
pull_request: | |
push: | |
branches: | |
- master | |
- 'release/**' | |
- 'maintainers/**' | |
workflow_dispatch: | |
# Checks if any concurrent jobs under the same pull request or branch are being executed | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} | |
cancel-in-progress: true | |
jobs: | |
build-libs-linux: | |
name: build-libs-linux-${{ matrix.arch }} 😁 (${{ matrix.name }}) | |
runs-on: ${{ (matrix.arch == 'arm64' && 'actuated-arm64-8cpu-16gb') || 'ubuntu-22.04' }} | |
strategy: | |
fail-fast: false | |
matrix: | |
arch: [amd64, arm64] | |
name: [system_deps, bundled_deps, system_deps_minimal, sanitizers] | |
include: | |
- name: system_deps | |
cmake_opts: -DBUILD_WARNINGS_AS_ERRORS=On -DBUILD_BPF=On -DUSE_BUNDLED_DEPS=False | |
- name: bundled_deps | |
cmake_opts: -DBUILD_WARNINGS_AS_ERRORS=On -DBUILD_BPF=On -DUSE_BUNDLED_DEPS=True | |
- name: system_deps_minimal | |
cmake_opts: -DBUILD_WARNINGS_AS_ERRORS=On -DUSE_BUNDLED_DEPS=False -DMINIMAL_BUILD=True | |
- name: sanitizers | |
cmake_opts: -DUSE_ASAN=On -DUSE_UBSAN=On -DUSE_BUNDLED_DEPS=False | |
container: | |
image: debian:buster | |
steps: | |
- name: Install deps ⛓️ | |
run: | | |
apt update && apt install -y --no-install-recommends ca-certificates cmake build-essential git clang llvm pkg-config autoconf automake libtool libelf-dev wget libc-ares-dev libcurl4-openssl-dev libssl-dev libtbb-dev libjq-dev libjsoncpp-dev libgrpc++-dev protobuf-compiler-grpc libgtest-dev libprotobuf-dev linux-headers-${{ matrix.arch }} | |
- name: Checkout Libs ⤵️ | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
with: | |
fetch-depth: 0 | |
- name: Install deps ⛓️ | |
run: | | |
.github/install-deps.sh | |
- name: Git safe directory | |
run: | | |
git config --global --add safe.directory $GITHUB_WORKSPACE | |
- name: Build and test 🏗️🧪 | |
env: | |
UBSAN_OPTIONS: print_stacktrace=1 | |
run: | | |
mkdir -p build | |
cd build && cmake ${{ matrix.cmake_opts }} ../ | |
KERNELDIR=/lib/modules/$(ls /lib/modules)/build make -j4 | |
make run-unit-tests | |
build-libs-linux-amd64-static: | |
name: build-libs-linux-amd64-static 🎃 | |
runs-on: ubuntu-latest | |
container: | |
image: alpine:3.17 | |
steps: | |
- name: Install deps ⛓️ | |
run: | | |
apk add g++ gcc cmake make git bash perl linux-headers autoconf automake m4 libtool elfutils-dev libelf-static patch binutils bpftool clang | |
- name: Checkout Libs ⤵️ | |
uses: actions/checkout@v3 | |
with: | |
fetch-depth: 0 | |
- name: Git safe directory | |
run: | | |
git config --global --add safe.directory $GITHUB_WORKSPACE | |
- name: Build and test 🏗️🧪 | |
run: | | |
mkdir -p build | |
cd build && cmake -DBUILD_BPF=On -DBUILD_DRIVER=Off -DUSE_BUNDLED_DEPS=On -DUSE_BUNDLED_LIBELF=Off -DUSE_SHARED_LIBELF=Off -DBUILD_LIBSCAP_MODERN_BPF=ON -DMUSL_OPTIMIZED_BUILD=On ../ | |
make run-unit-tests -j4 | |
build-shared-libs-linux-amd64: | |
name: build-shared-libs-linux-amd64 🧐 | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout Libs ⤵️ | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
with: | |
fetch-depth: 0 | |
- name: Git safe directory | |
run: | | |
git config --global --add safe.directory $GITHUB_WORKSPACE | |
- name: Install deps ⛓️ | |
run: | | |
sudo apt update | |
sudo apt install -y --no-install-recommends ca-certificates cmake build-essential git clang llvm pkg-config autoconf automake libtool libelf-dev wget libc-ares-dev libcurl4-openssl-dev libssl-dev libre2-dev libtbb-dev libjq-dev libjsoncpp-dev libgrpc++-dev protobuf-compiler-grpc libgtest-dev libprotobuf-dev linux-headers-$(uname -r) | |
sudo .github/install-deps.sh | |
- name: Build and test 🏗️🧪 | |
run: | | |
mkdir -p build | |
cd build && cmake -DBUILD_SHARED_LIBS=True -DUSE_BUNDLED_DEPS=False -DMINIMAL_BUILD=True -DCMAKE_INSTALL_PREFIX=/tmp/libs-test ../ | |
make -j4 | |
make run-unit-tests | |
- name: Install | |
run: | | |
cd build | |
make install | |
- name: Test sinsp-example build with pkg-config | |
run: | | |
cd userspace/libsinsp/examples | |
export PKG_CONFIG_PATH=/tmp/libs-test/lib/pkgconfig | |
g++ -o sinsp-example test.cpp util.cpp $(pkg-config --cflags --libs libsinsp) | |
- name: Test sinsp-example runtime linker | |
run: | | |
cd userspace/libsinsp/examples | |
export LD_LIBRARY_PATH=/tmp/libs-test/lib | |
./sinsp-example -h | |
build-libs-others-amd64: | |
name: build-libs-others-amd64 😨 | |
strategy: | |
fail-fast: false | |
matrix: | |
os: [windows-latest] | |
crt: [MultiThreaded, MultiThreadedDLL] | |
include: | |
- os: macos-latest | |
runs-on: ${{ matrix.os }} | |
steps: | |
- name: Checkout Libs ⤵️ | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
with: | |
fetch-depth: 0 | |
- name: Build and test 🏗️🧪 | |
run: | | |
mkdir -p build | |
cd build && cmake -DUSE_BUNDLED_DEPS=ON -DCMAKE_BUILD_TYPE=Release -DCMAKE_MSVC_RUNTIME_LIBRARY=${{ matrix.crt }} -DCREATE_TEST_TARGETS=ON -DMINIMAL_BUILD=ON .. | |
cmake --build . --config Release && make run-unit-tests || libsinsp\test\Release\unit-test-libsinsp.exe | |
build-shared-libs-macos-amd64: | |
name: build-shared-libs-macos-amd64 😨 | |
strategy: | |
fail-fast: false | |
runs-on: macos-latest | |
steps: | |
- name: Checkout Libs ⤵️ | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
with: | |
fetch-depth: 0 | |
- name: Install deps ⛓️ | |
run: | | |
HOMEBREW_NO_AUTO_UPDATE=1 brew install c-ares re2 tbb jq jsoncpp openssl uthash | |
- name: Build 🏗️ | |
run: | | |
mkdir -p build | |
cd build && cmake -DBUILD_SHARED_LIBS=True -DUSE_BUNDLED_DEPS=False -DUSE_BUNDLED_VALIJSON=ON -DCMAKE_BUILD_TYPE=Release -DCREATE_TEST_TARGETS=OFF -DMINIMAL_BUILD=ON -DCMAKE_INSTALL_PREFIX=/tmp/libs-test .. | |
cmake --build . --config Release | |
- name: Install | |
run: | | |
cd build | |
make install | |
- name: Test sinsp-example build with pkg-config 🧪 | |
run: | | |
cd userspace/libsinsp/examples | |
export PKG_CONFIG_PATH=/tmp/libs-test/lib/pkgconfig | |
c++ --std=c++17 -o sinsp-example test.cpp util.cpp $(pkg-config --cflags --libs libsinsp) | |
- name: Test sinsp-example runtime linker 🧪 | |
run: | | |
cd userspace/libsinsp/examples | |
export DYLD_LIBRARY_PATH=/tmp/libs-test/lib | |
./sinsp-example -h | |
# This job checks that a bundled deps of libs is as static as possible | |
test-libs-static: | |
name: test-libs-static (bundled_deps) | |
runs-on: ubuntu-22.04 | |
steps: | |
- name: Checkout Libs ⤵️ | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
with: | |
fetch-depth: 0 | |
- name: Install deps ⛓️ | |
run: | | |
sudo apt update | |
sudo apt install -y --no-install-recommends ca-certificates cmake build-essential clang-14 llvm-14 git pkg-config autoconf automake libtool libelf-dev libcap-dev linux-headers-$(uname -r) | |
sudo update-alternatives --install /usr/bin/clang clang /usr/bin/clang-14 90 | |
sudo update-alternatives --install /usr/bin/llvm-strip llvm-strip /usr/bin/llvm-strip-14 90 | |
sudo update-alternatives --install /usr/bin/llc llc /usr/bin/llc-14 90 | |
- name: Build sinsp-example | |
run: | | |
mkdir -p build | |
cd build && cmake -DUSE_BUNDLED_DEPS=On -DBUILD_DRIVER=ON -DBUILD_LIBSCAP_MODERN_BPF=ON -DBUILD_BPF=On -DBUILD_LIBSCAP_GVISOR=On -DCREATE_TEST_TARGETS=Off -DENABLE_LIBSCAP_TESTS=Off ../ | |
make -j$(nproc) sinsp-example | |
- name: Ensure that sinsp-example with bundled deps is as static as possible | |
run: | | |
ldd "build/libsinsp/examples/sinsp-example" | cut --fields=2 | cut --delimiter=' ' --fields=1 | rev | cut --delimiter='/' --fields=1 | rev | sort --unique --version-sort > ldd_out.txt | |
cat > expected_ldd_out.txt <<EOF | |
ld-linux-x86-64.so.2 | |
libc.so.6 | |
libgcc_s.so.1 | |
libm.so.6 | |
libstdc++.so.6 | |
linux-vdso.so.1 | |
EOF | |
diff -u expected_ldd_out.txt ldd_out.txt | |
run-e2e-tests-amd64: | |
name: run-e2e-tests-amd64 | |
strategy: | |
fail-fast: false | |
matrix: | |
name: [system_deps, bundled_deps, asan] | |
include: | |
- name: system_deps | |
cmake_opts: -DUSE_BUNDLED_DEPS=False | |
- name: bundled_deps | |
cmake_opts: -DUSE_BUNDLED_DEPS=True | |
- name: asan | |
cmake_opts: -DUSE_BUNDLED_DEPS=True -DCMAKE_C_FLAGS=-fsanitize=address -DCMAKE_CXX_FLAGS=-fsanitize=address | |
runs-on: ubuntu-22.04 | |
steps: | |
- name: Install deps ⛓️ | |
run: | | |
sudo apt-get update && sudo apt-get install -y --no-install-recommends \ | |
ca-certificates \ | |
cmake \ | |
build-essential \ | |
clang-14 llvm-14 \ | |
git \ | |
clang \ | |
llvm \ | |
pkg-config \ | |
autoconf \ | |
automake \ | |
libtool \ | |
libelf-dev \ | |
wget \ | |
libc-ares-dev \ | |
libbpf-dev \ | |
libcap-dev \ | |
libcurl4-openssl-dev \ | |
libssl-dev \ | |
libtbb-dev \ | |
libjq-dev \ | |
libjsoncpp-dev \ | |
libgrpc++-dev \ | |
protobuf-compiler-grpc \ | |
libgtest-dev \ | |
libprotobuf-dev \ | |
"linux-headers-$(uname -r)" | |
sudo update-alternatives --install /usr/bin/clang clang /usr/bin/clang-14 90 | |
sudo update-alternatives --install /usr/bin/llvm-strip llvm-strip /usr/bin/llvm-strip-14 90 | |
sudo update-alternatives --install /usr/bin/llc llc /usr/bin/llc-14 90 | |
- name: Checkout Libs ⤵️ | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
with: | |
fetch-depth: 0 | |
- name: Fix kernel mmap rnd bits | |
# Asan in llvm 14 provided in ubuntu 22.04 is incompatible with | |
# high-entropy ASLR in much newer kernels that GitHub runners are | |
# using leading to random crashes: https://reviews.llvm.org/D148280 | |
run: sudo sysctl vm.mmap_rnd_bits=28 | |
- name: Install deps ⛓️ | |
run: | | |
sudo .github/install-deps.sh | |
- name: Git safe directory | |
run: | | |
git config --global --add safe.directory $GITHUB_WORKSPACE | |
- name: Build and test 🏗️🧪 | |
env: | |
# This avoids random failures on CI. | |
# (https://github.com/google/sanitizers/issues/1322#issuecomment-699946942) | |
ASAN_OPTIONS: intercept_tls_get_addr=0 | |
run: | | |
mkdir -p build && cd build | |
cmake -DBUILD_BPF=ON \ | |
-DBUILD_LIBSCAP_MODERN_BPF=ON \ | |
-DBUILD_LIBSCAP_GVISOR=OFF \ | |
${{ matrix.cmake_opts }} \ | |
-DUSE_BUNDLED_LIBBPF=ON \ | |
.. | |
make -j$(nproc) sinsp-example driver bpf | |
sudo -E make e2e-install-deps | |
sudo -E ../test/e2e/scripts/run_tests.sh | |
- name: Archive test reports | |
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 | |
if: failure() | |
with: | |
name: ${{ matrix.name }}_report | |
path: | | |
${{ github.workspace }}/build/report/ | |
build-libs-emscripten: | |
name: build-libs-emscripten 🧐 | |
runs-on: ubuntu-latest | |
steps: | |
- name: Install deps ⛓️ | |
run: | | |
sudo apt update | |
sudo apt install -y --no-install-recommends ca-certificates cmake build-essential clang-14 llvm-14 git pkg-config autoconf automake libtool libelf-dev libcap-dev linux-headers-$(uname -r) emscripten | |
- name: Checkout Libs ⤵️ | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
with: | |
fetch-depth: 0 | |
- name: Git safe directory | |
run: | | |
git config --global --add safe.directory $GITHUB_WORKSPACE | |
- name: Build and test 🏗️🧪 | |
run: | | |
mkdir -p build | |
cd build && emcmake cmake -DUSE_BUNDLED_DEPS=True ../ | |
emmake make -j4 | |
emmake make run-unit-tests -j4 |