-
Notifications
You must be signed in to change notification settings - Fork 165
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(driver-modern-bpf): fix execve USER vs MEMORY reads + cleanup + enforce upper bounds in push__bytebuf #633
Merged
poiana
merged 5 commits into
falcosecurity:master
from
incertum:fix-modern-bpf-push-data
Oct 13, 2022
+18
−16
Merged
Changes from 4 commits
Commits
Show all changes
5 commits
Select commit
Hold shift + click to select a range
9d796ac
cleanup(driver-modern-bpf): minor refactor of push__bytebuf to reflec…
incertum df17037
cleanup(driver-modern-bpf): enforce upper bounds for push__bytebuf
incertum a94d950
fix(driver-modern-bpf): fix USER vs MEMORY attribution in execve filler
incertum 7bf2082
cleanup(driver-modern-bpf): skip push__bytebuf reads when no valid le…
incertum 1a388da
cleanup(driver-modern-bpf): start moving bound checks to auxmap__store*
incertum File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
not completely understood why we need this 🤔
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
SAFE_ACCESS
should already protect us from the worst caseThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It has been part of the old probe and it may be less for protection and rather more for you don't wanna ever log super super long unbounded strings in your logs. @leogr @FedeDP do you have more insights re what the motivation was in the old probe? Only safe reads or also some guarantees on limits? Lastly for
push__charbuf
limits are enforced so it would also be about consistency.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's a good point for this reason we use approaches like the
snaplen
to let users understand the max dimension they want to send, you can see an example herelibs/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/sendto.bpf.c
Lines 89 to 98 in 0c280ca
The idea of this
snaplen
concept is to limit at an higher level so you can chose when to limit rather then implementing it directly at low levelFor what concerns the old probe we use this same concept of
snaplen
all the others checks are to please the verifier AFAIK 🤔There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Those are the two relevant max bounds from old probe
These values are battle proven, so wouldn't go higher before testing modern_bpf in the field.
Probably have a few options here and we can go step-wise, no need to change all now.
MAX_PARAM_SIZE
, if I can say so, the value appears extremely large, I think2^12
is reasonable and enough and as mentioned battle proven. If we go this route can change this quickly and reuse the existing macro.read_memory
. For example, for the cmd args I can see that maybe2^13
could be a good choice for an enforced upper bound. Would however perform all bound checks and selecting the corresponding upper bound here and not in the fillers. In addition, fillers can always also enforce a lower value than the max enforced bound.These bound checks are not unique to Falco or libs, seeing them everywhere and I would be very hesitant deploying anything to production without them.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry typo meant the
MAX_PARAM_SIZE
you also use inSAFE_ACCESS
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
uhm I got your point maybe
MAX_PARAM_SIZE
is big enough, it's the same value we use in the old probe but it could be dangerous...BTW putting a hard-coded value here doesn't seem the right solution, or better let's say it could be the right solution if we were in production and we have to rush, but this is not the case 🤣 let's take our time to think of something more dynamic or configurable
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've added some dedicated checks for
execve
here https://github.com/falcosecurity/libs/pull/648/files#diff-23e1e00c90562960e7e4110fcc5c62cd89d2ea8a8df3198d7c04512084c7c378R52-R54 :)