libs icon indicating copy to clipboard operation
libs copied to clipboard
verified publisher icon falcosecurity

Attempting to use proc.a* fields (%proc.aname, %proc.apid...) in output w/o argument results in undefined behavior

Open LucaGuerra opened this issue 1 year ago • 7 comments

Describe the bug

According to the documentation, fields like proc.aname do not make sense in output by themselves but only in filters. So proc.aname = bash is legit, My aname is '%proc.aname' is not.

Currently, you can still write an output string like the one above, and this is what happens:

  • If "%proc.aname" is evaluated as-is or at the end of an output string, it'll return proc.aname[0]
  • If the formatting token %proc.aname is in the middle of the output string this results in an unintialized read, as m_argid is NOT set in sinsp_filter_check_thread::parse_field_name and so the behavior is undefined

How to reproduce it

TEST_F(sinsp_formatter_test, repro) {
	format("hello |%proc.name| |%proc.aname| end");
	std::cout << "----- last_output -----" << std::endl;
	std::cout << m_last_output << std::endl;
}

Expected behaviour

Either a NULL which is properly handled or a syntax error. Both are acceptable I think. I prefer a syntax error at this point.

Screenshots

Environment

  • Falco version:
  • System info:
  • Cloud provider or hardware configuration:
  • OS:
  • Kernel:
  • Installation method:

Additional context

LucaGuerra avatar Jan 10 '25 16:01 LucaGuerra

/milestone 0.21.0

FedeDP avatar Jan 20 '25 09:01 FedeDP

I don't think we will have time to work on this during this release cycle. Moving to next one /milestone 0.22.0

FedeDP avatar Apr 02 '25 10:04 FedeDP

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

poiana avatar Jul 01 '25 16:07 poiana

/remove-lifecycle stale

FedeDP avatar Jul 21 '25 08:07 FedeDP

/milestone 0.23.0

leogr avatar Sep 02 '25 08:09 leogr

Issues go stale after 90d of inactivity.

Mark the issue as fresh with /remove-lifecycle stale.

Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Provide feedback via https://github.com/falcosecurity/community.

/lifecycle stale

poiana avatar Dec 01 '25 10:12 poiana

I might have fixed this by https://github.com/falcosecurity/libs/pull/2704 Let's double-check.

/assign /remove-lifecycle stale

leogr avatar Dec 01 '25 13:12 leogr