search

SUSE / linux-security-sensor

Linux security sensor
Other
18 stars 9 forks source link

Hash function can panic with nil pointer dereference #85

Closed djoreilly closed 7 months ago

djoreilly commented 7 months ago

Reproduce steps:

  1. make stat() sometimes fail in newHashResultCacheEntry() 
    while true; do touch /tmp/test; rm /tmp/test; done
  2. keep running hash() on the file 
    
./output/velociraptor-v0.7.0-4-linux-amd64 query -v --max_wait=1 "SELECT hash(path=File.path) FROM audit(rules=['-w /tmp -p w -k testkey']) WHERE 'testkey' in Tags"

panic: runtime error: invalid memory address or nil pointer dereference [signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0xc36c00]

goroutine 129 [running]: www.velocidex.com/golang/velociraptor/vql/functions.(unixHashResultCacheEntry).Result(0xc000260df0?) /root/linux-security-sensor-oct12/vql/functions/hash_cache_unix.go:38 www.velocidex.com/golang/velociraptor/vql/functions.(HashFunction).Call(0xc00180629c?, {0x2a3da58, 0xc000e50e10}, {0x2a5f4a8, 0xc00131b5e0}, 0x10?) /root/linux-security-sensor-oct12/vql/functions/hash.go:305 +0xd92 www.velocidex.com/golang/vfilter.(_SymbolRef).callFunction(0xc000c6a360, {0x2a3da58?, 0xc000e50e10}, {0x2a5f4a8?, 0xc00131b5e0}, {0x2a2e080?, 0x4438100}) /root/linux-security-sensor-oct12/vendor/www.velocidex.com/golang/vfilter/vfilter.go:1736 +0x55c www.velocidex.com/golang/vfilter.(_SymbolRef).Reduce(0xc000c6a360, {0x2a3da58, 0xc000e50e10}, {0x2a5f4a8, 0xc00131b5e0}) /root/linux-security-sensor-oct12/vendor/www.velocidex.com/golang/vfilter/vfilter.go:1590 +0x1b8 www.velocidex.com/golang/vfilter.(_Value).Reduce(0xc0006afe00, {0x2a3da58, 0xc000e50e10}, {0x2a5f4a8, 0xc00131b5e0}) /root/linux-security-sensor-oct12/vendor/www.velocidex.com/golang/vfilter/vfilter.go:1478 +0x13f www.velocidex.com/golang/vfilter.(_MemberExpression).Reduce(0xc000b48d80, {0x2a3da58, 0xc000e50e10}, {0x2a5f4a8?, 0xc00131b5e0?}) /root/linux-security-sensor-oct12/vendor/www.velocidex.com/golang/vfilter/vfilter.go:1165 +0x50 www.velocidex.com/golang/vfilter.(_MultiplicationExpression).Reduce(0xc000b48dc0, {0x2a3da58, 0xc000e50e10}, {0x2a5f4a8?, 0xc00131b5e0?}) /root/linux-security-sensor-oct12/vendor/www.velocidex.com/golang/vfilter/vfilter.go:1414 +0x4d www.velocidex.com/golang/vfilter.(_AdditionExpression).Reduce(0xc000b48e00, {0x2a3da58, 0xc000e50e10}, {0x2a5f4a8?, 0xc00131b5e0?}) /root/linux-security-sensor-oct12/vendor/www.velocidex.com/golang/vfilter/vfilter.go:1329 +0x4d www.velocidex.com/golang/vfilter.(_ConditionOperand).Reduce(0xc000b03260, {0x2a3da58, 0xc000e50e10}, {0x2a5f4a8?, 0xc00131b5e0?}) /root/linux-security-sensor-oct12/vendor/www.velocidex.com/golang/vfilter/vfilter.go:1367 +0x6d www.velocidex.com/golang/vfilter.(_OrExpression).Reduce(0xc000b48e40, {0x2a3da58, 0xc000e50e10}, {0x2a5f4a8?, 0xc00131b5e0?}) /root/linux-security-sensor-oct12/vendor/www.velocidex.com/golang/vfilter/vfilter.go:1291 +0x50 www.velocidex.com/golang/vfilter.(_AndExpression).Reduce(0xc000b48e80, {0x2a3da58, 0xc000e50e10}, {0x2a5f4a8?, 0xc00131b5e0?}) /root/linux-security-sensor-oct12/vendor/www.velocidex.com/golang/vfilter/vfilter.go:1259 +0x45 www.velocidex.com/golang/vfilter.(_AliasedExpression).Reduce(0x22a6640?, {0x2a3da58?, 0xc000e50e10?}, {0x2a5f4a8?, 0xc00131b5e0?}) /root/linux-security-sensor-oct12/vendor/www.velocidex.com/golang/vfilter/vfilter.go:705 +0x93 www.velocidex.com/golang/vfilter.(_SelectExpression).Transform.func2({0x2a3da58, 0xc000e50e10}, {0xc0007d2918?, 0x14?}) /root/linux-security-sensor-oct12/vendor/www.velocidex.com/golang/vfilter/vfilter.go:961 +0x55 www.velocidex.com/golang/vfilter.MaterializedLazyRow({0x2a3da58, 0xc000e50e10}, {0x2152e40?, 0xc000a06000?}, {0x2a5f4a8, 0xc00131b680}) /root/linux-security-sensor-oct12/vendor/www.velocidex.com/golang/vfilter/lazy.go:110 +0x1cd www.velocidex.com/golang/vfilter.(_Select).processSingleRow(0xc000b34060, {0x2a3da58, 0xc000e50e10}, {0x2a5f4a8, 0xc0017b5a40}, {0x23bdb60, 0xc002410000}, 0xc000a51b60) /root/linux-security-sensor-oct12/vendor/www.velocidex.com/golang/vfilter/vfilter.go:614 +0x3c5 www.velocidex.com/golang/vfilter.(_Select).Eval.func3() /root/linux-security-sensor-oct12/vendor/www.velocidex.com/golang/vfilter/vfilter.go:569 +0x179 created by www.velocidex.com/golang/vfilter.(_Select).Eval in goroutine 128 /root/linux-security-sensor-oct12/vendor/www.velocidex.com/golang/vfilter/vfilter.go:552 +0x2e5