opensnitch icon indicating copy to clipboard operation
opensnitch copied to clipboard

Published 20 hours ago verified publisher icon evilsocket

error while marshaling: string field contains invalid UTF-8

Open shollingsworth opened this issue 3 years ago • 4 comments

Hello there,

Found a bug with a specific program (an interesting one IMO)

[2021-07-28 16:21:19]  ERR  Invalid rule received, applying default action
[2021-07-28 16:21:19]  WAR  Error while pinging UI service: rpc error: code = Internal desc = grpc: error while marshaling: string field contains invalid UTF-8, state: READY

To Reproduce

  • Install the package sqsh (a mssql client) on Ubuntu 20.04
  • Connect to a non existent server (in this case localhost)
  • OK interaction Prompt should popup after typing in password
sqsh -S localhost
  • Error interaction
sqsh -S localhost -P foo

Screenshots

OK Interaction

ok_interaction

Error Interaction

bad_interaction

OS (please complete the following information):

  • OS: NAME="Ubuntu" VERSION="20.04.2 LTS (Focal Fossa)"
  • Kernel: Linux X 5.10.0-1034-oem 35-Ubuntu SMP Wed Jun 23 09:55:56 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
  • Window Manager: KDE

shollingsworth avatar Jul 28 '21 16:07 shollingsworth

good catch @shollingsworth !

I'll try to reproduce it.

gustavo-iniguez-goya avatar Jul 28 '21 22:07 gustavo-iniguez-goya

ok, reproduced, even with eBPF.

It's invoked correctly: execve("/usr/bin/sqsh", ["sqsh", "-S", "localhost", "-P", "sss"], 0x7ffe74bb4da0 /* 58 vars */) = 0

But sqsh rewrites in memory the parameter -P: https://github.com/vonloxley/sqsh/blob/afd4276e09d5dfdd5873d6db62a81dfeff9eded9/src/sqsh_main.c#L1083

execve("/usr/local/bin/sqsh", ["sqsh", "-S", "localhost", "-\2503/4"], 0x7ffec415d0b8 /* 58 vars */) = -1 ENOENT 
execve("/usr/bin/sqsh", ["sqsh", "-S", "localhost", "-\2503/4"], 0x7ffec415d0b8 /* 58 vars */) = 0

$ cat /proc/10915/cmdline 
sqsh-Slocalhost-�3/4

execsnoop-bpfcc catches correctly the original command line:

PCOMM            PID    PPID   RET ARGS
sqsh             23765  4335     0 /usr/bin/sqsh -S localhost -P sss
sqsh             23765  4335     0 /usr/bin/sqsh -S localhost -�3/4

But when we read the command line of the PID, I can't recover the unmodified parameter. We should get it from kernel space (bpf_probe_read_kernel_str(&data4.path1, sizeof(data4.path1), &task->mm->exe_file->f_path.dentry->d_parent->d_parent->d_name.name);), or if it's not possible due to hit the 512bytes limit, maybe we could workaround it by maintaining a map of new execs.

Rewriting the arguments and name of your own process is a valid and expected operation, so we shouldn't trust what's written to /proc

So far I haven't found a way to workaround this problem. strconv.IsPrint() and utf8.ValidRune() report "�3/4" as valid, while utf8.Valid() reports it as invalid, but also "ááá" ... so any parameters with unicode chars would be rewritten.

gustavo-iniguez-goya avatar Jul 29 '21 17:07 gustavo-iniguez-goya

Thanks for doing the digging on this @gustavo-iniguez-goya , I'm guessing we can just close this as a one off if there's no easy fix.

shollingsworth avatar Jul 29 '21 20:07 shollingsworth

I think the best solution will be to encode the parameters. I've got it working but it needs more work to ensure that everything is working properly (note: encode parameters when loading rules).

utf8, graphics and other encodings seems to work fine, so I'll postpone this issue for the next version

image

gustavo-iniguez-goya avatar Jul 29 '21 22:07 gustavo-iniguez-goya