search

falcosecurity / falco

Cloud Native Runtime Security
https://falco.org
Apache License 2.0
7.3k stars 897 forks source link

Falco 0.36.2 BPF probe conflict with deepflow #2957

Open Spartan-65 opened 10 months ago

Spartan-65 commented 10 months ago

Describe the bug Run deepflow and falco ebpf mode

How to reproduce it

Expected behaviour

Screenshots

Environment

<!-- Falco has a built-in support command you can use  "falco --support | jq .system_info" -->
- Cloud provider or hardware configuration:
- OS:

NAME="CentOS Linux" VERSION="7 (Core)" ID="centos" ID_LIKE="rhel fedora" VERSION_ID="7" PRETTY_NAME="CentOS Linux 7 (Core)" ANSI_COLOR="0;31" CPE_NAME="cpe:/o:centos:centos:7" HOME_URL="https://www.centos.org/" BUG_REPORT_URL="https://bugs.centos.org/"

CENTOS_MANTISBT_PROJECT="CentOS-7" CENTOS_MANTISBT_PROJECT_VERSION="7" REDHAT_SUPPORT_PRODUCT="centos"


<!-- Eg., output of "cat /etc/os-release". -->
- Kernel:

Linux falco-cgq72 4.19.25-204.el7.bclinux.x86_64 #1 SMP Wed Dec 23 15:41:17 CST 2020 x86_64 GNU/Linux

<!-- Eg., output of "uname -a". -->
- Installation method:
<!-- Eg., Kubernetes, RPM, DEB, from source? -->

Kubernetes


**Additional context**

 I found that the kernel module also uses this function "static inline int32_t ringbuffer_next(struct scap_device_set *devset, OUT scap_evt** pevent, OUT uint16_t* pcpuid)
", why does it only get an error in ebpf mode?

<!-- Add any other context about the problem here. -->
Andreagit97 commented 9 months ago

uhm this is interesting it seems like the 2 ebpf probe are conflicting in some way,

Error: scap_next buffer corruption

this message means that someone wrote in the falco bpf buffer :thinking: we will take a look, thank you for reporting!

Andreagit97 commented 9 months ago

I've seen you are using 0.36.2 with the kernel module, I'm not able to reproduce this issue https://github.com/falcosecurity/libs/issues/1359 with Falco 0.36.2 can you confirm this?

poiana commented 6 months ago

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

Spartan-65 commented 6 months ago

I tried to insert the log at this location

if(pe->ts < min_ts)
        {
            printf("pe->len: %u, dev->m_sn_len: %u dev->m_lastreadsize: %u\n", pe->len, dev->m_sn_len, dev->m_lastreadsize);
            /* if the event length is greater than the remaining size in our block there is something wrong! */
            if(pe->len > dev->m_sn_len)
            {
                snprintf(devset->m_lasterr, SCAP_LASTERR_SIZE, "scap_next buffer corruption");

                /* if you get the following assertion, first recompile the driver and `libscap` */
                ASSERT(false);
                return SCAP_FAILURE;
            }

Got some of the output

pe->len: 3207276032, dev->m_sn_len: 1176 dev->m_lastreadsize: 0
pe->len: 3207276032, dev->m_sn_len: 1176 dev->m_lastreadsize: 0
pe->len: 3207276032, dev->m_sn_len: 1176 dev->m_lastreadsize: 0

the pe->len value seems to be significantly larger than SCRATCH_SIZE_MAX (1<<18 - 1) source code.

Can it be assumed that deepflow wrote to the bpf perf map or that Falco misread the corresponding BPF map?

Spartan-65 commented 6 months ago

deepflow ebpf map info 

 bpftool map
1: hash  name calico_failsafe  flags 0x1
    key 4B  value 1B  max_entries 65535  memlock 5246976B
36: hash  name __active_read_a  flags 0x0
    key 8B  value 60B  max_entries 40960  memlock 5967872B
37: hash  name __active_write_  flags 0x0
    key 8B  value 60B  max_entries 40960  memlock 5967872B
38: array  name __adapt_kern_ui  flags 0x0
    key 4B  value 8B  max_entries 1  memlock 4096B
39: percpu_array  name __ctx_info  flags 0x0
    key 4B  value 176B  max_entries 1  memlock 4096B
40: percpu_array  name __data_buf  flags 0x0
    key 4B  value 32768B  max_entries 1  memlock 266240B
41: percpu_array  name __http2_stack  flags 0x0
    key 4B  value 8334B  max_entries 1  memlock 69632B
42: percpu_array  name __io_event_buff  flags 0x0
    key 4B  value 80B  max_entries 1  memlock 4096B
43: array  name __kprobe_port_b  flags 0x0
    key 4B  value 8192B  max_entries 2  memlock 20480B
44: percpu_array  name __members_offse  flags 0x0
    key 4B  value 80B  max_entries 1  memlock 4096B
45: prog_array  name __progs_jmp_kp_  flags 0x0
    key 4B  value 4B  max_entries 2  memlock 4096B
46: prog_array  name __progs_jmp_tp_  flags 0x0
    key 4B  value 4B  max_entries 3  memlock 4096B
47: array  name __protocol_filt  flags 0x0
    key 4B  value 4B  max_entries 130  memlock 4096B
48: perf_event_array  name __socket_data  flags 0x0
    key 4B  value 4B  max_entries 256  memlock 4096B
49: hash  name __socket_info_m  flags 0x0
    key 8B  value 58B  max_entries 524288  memlock 71307264B
50: hash  name __socket_role_m  flags 0x0
    key 8B  value 4B  max_entries 40960  memlock 3674112B
51: hash  name __ssl_ctx_map  flags 0x0
    key 8B  value 20B  max_entries 40960  memlock 4329472B
52: percpu_array  name __trace_conf_ma  flags 0x0
    key 4B  value 48B  max_entries 1  memlock 4096B
53: hash  name __trace_map  flags 0x0
    key 16B  value 25B  max_entries 524288  memlock 58724352B
54: array  name __trace_stats_m  flags 0x0
    key 4B  value 16B  max_entries 1  memlock 4096B
55: lru_hash  name go_ancerstor_ma  flags 0x0
    key 12B  value 8B  max_entries 40960  memlock 4001792B
56: lru_hash  name go_rw_ts_map  flags 0x0
    key 12B  value 8B  max_entries 40960  memlock 4001792B
57: hash  name goroutines_map  flags 0x0
    key 8B  value 8B  max_entries 40960  memlock 3674112B
58: lru_hash  name http2_tcp_seq_m  flags 0x0
    key 12B  value 4B  max_entries 40960  memlock 4001792B
59: hash  name pid_tgid_caller  flags 0x0
    key 8B  value 16B  max_entries 40960  memlock 4001792B
60: hash  name proc_info_map  flags 0x0
    key 4B  value 64B  max_entries 40960  memlock 5967872B
61: hash  name tls_conn_map  flags 0x0
    key 16B  value 32B  max_entries 40960  memlock 4984832B
62: perf_event_array  name __profiler_outp  flags 0x0
    key 4B  value 4B  max_entries 256  memlock 4096B
63: perf_event_array  name __profiler_outp  flags 0x0
    key 4B  value 4B  max_entries 256  memlock 4096B
64: array  name __profiler_stat  flags 0x0
    key 4B  value 8B  max_entries 7  memlock 4096B
65: stack_trace  name __stack_map_a  flags 0x0
    key 4B  value 1016B  max_entries 65536  memlock 68161536B
66: stack_trace  name __stack_map_b  flags 0x0
    key 4B  value 1016B  max_entries 65536  memlock 68161536B
Spartan-65 commented 5 months ago

I've seen you are using 0.36.2 with the kernel module, I'm not able to reproduce this issue falcosecurity/libs#1359 with Falco 0.36.2 can you confirm this?

@Andreagit97 It's not the same environment, it's in a user environment where deepflowis deployed

Andreagit97 commented 5 months ago

uhm ok! thank you for the additional info! Yes at first look it seems that deepflow wrote into Falco perf buffer... we will take a look! Thank you for reporting. Is this happening also with the modern_ebpf?

poiana commented 4 months ago

Stale issues rot after 30d of inactivity.

Mark the issue as fresh with /remove-lifecycle rotten.

Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle rotten

Andreagit97 commented 4 months ago

/remove-lifecycle rotten

poiana commented 1 month ago

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

FedeDP commented 1 month ago

/remove-lifecycle stale