fix(ebpf): treat sched_process_exit corner cases

The `sched_process_exit` event might be triggered by an usual exit like syscall or by a different path like `do_exit`, `do_exit_group` or even an internal kernel one, so it's not safe to assume that it is always triggered by a syscall.
aquasecurity · Jan 28, 2025 · bf9fd8c · bf9fd8c
1 parent a6ea82e
commit bf9fd8c
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 3 deletions.
diff --git a/pkg/ebpf/c/tracee.bpf.c b/pkg/ebpf/c/tracee.bpf.c
@@ -1521,6 +1521,17 @@ int tracepoint__sched__sched_process_exit(struct bpf_raw_tracepoint_args *ctx)
     if (!init_program_data(&p, ctx, SCHED_PROCESS_EXIT))
         return 0;
 
+    // If the task was signaled (PF_SIGNALED is set), the syscall number cannot be trusted.
+    // Otherwise, if the task was not signaled:
+    // - A kernel thread (PF_KTHREAD is set) is expected to have no valid syscall context.
+    // - If PF_KTHREAD is not set but the syscall value is negative, it may be garbage
+    //   from a clobbered context.
+    // In either case, the syscall number cannot be trusted, so we set it to NO_SYSCALL.
+    int task_flags = get_task_flags(p.event->task);
+    if ((task_flags & PF_SIGNALED) ||
+        (!(task_flags & PF_KTHREAD) && (p.event->context.syscall < 0)))
+        p.event->context.syscall = NO_SYSCALL;
+
     // evaluate matched_policies before removing this pid from the maps
     evaluate_scope_filters(&p);
 

diff --git a/pkg/ebpf/c/vmlinux_missing.h b/pkg/ebpf/c/vmlinux_missing.h
@@ -48,7 +48,8 @@
 
 #define ICMPV6_ECHO_REQUEST 128
 
-#define PF_KTHREAD 0x00200000 /* I am a kernel thread */
+#define PF_SIGNALED 0x00000400 /* Killed by a signal */
+#define PF_KTHREAD  0x00200000 /* I am a kernel thread */
 
 #define TASK_COMM_LEN 16
 

diff --git a/pkg/ebpf/events_pipeline.go b/pkg/ebpf/events_pipeline.go
@@ -221,10 +221,9 @@ func (t *Tracee) decodeEvents(ctx context.Context, sourceChan chan []byte) (<-ch
 				if events.Core.IsDefined(id) {
 					syscall = events.Core.GetDefinitionByID(id).GetName()
 				} else {
-					// This should never fail, as the translation used in eBPF relies on the same event definitions
 					commStr := string(eCtx.Comm[:bytes.IndexByte(eCtx.Comm[:], 0)])
 					utsNameStr := string(eCtx.UtsName[:bytes.IndexByte(eCtx.UtsName[:], 0)])
-					logger.Errorw(
+					logger.Debugw(
 						fmt.Sprintf("Event %s with an invalid syscall id %d", evtName, id),
 						"Comm", commStr,
 						"UtsName", utsNameStr,