search

draios / sysdig

Linux system exploration and troubleshooting tool with first class support for containers
http://www.sysdig.com/
Other
7.78k stars 727 forks source link

don't drop execve event when arguments can't be copied #874

Closed mstemm closed 1 year ago

mstemm commented 7 years ago

Currently, when the driver handles an execve event but can't copy the arguments to the ring buffer, it drops the event. From https://github.com/draios/sysdig/blob/dev/driver/ppm_fillers.c#L1148:

                        if (args_len) {
                if (args_len > PAGE_SIZE)
                    args_len = PAGE_SIZE;

                if (unlikely(ppm_copy_from_user(args->str_storage, (const void __user *)mm->arg_start, args_len)))
                    return PPM_FAILURE_INVALID_USER_MEMORY;

                args->str_storage[args_len - 1] = 0;
            } else {
                *args->str_storage = 0;
            }

Instead of dropping the event, it would be better that the driver returned the event with some indication that the args have not been filled in. In userspace sysdig could, for example, get the arguments from proc, flag the arguments as missing, etc.

github-actions[bot] commented 1 year ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.