osquery icon indicating copy to clipboard operation
osquery copied to clipboard

Published 20 hours ago verified publisher icon osquery

Don't add ATC table name to registry until after sqlite DB initialization

Open astrocox opened this issue 1 year ago • 1 comments

Fixes #8232

I'm not sure if there are nuances I'm missing or if there is a good way to test this section of code, but this fixes a bug where the first ATC table specified in a conf file is attached twice and the second attempt fails.

astrocox avatar Jan 03 '24 22:01 astrocox

CLA Signed

The committers listed above are authorized under a signed CLA.

  • :white_check_mark: login: astrocox / name: Julia Cox (c0a28d248fea15638d672a5ee51d4bcdee6f19f9)

linux-foundation-easycla[bot] avatar Jan 03 '24 22:01 linux-foundation-easycla[bot]

We discussed this in office hours today. The conclusion is that no one understands why this bug is present, but this fix seems okay.

Thanks for reviewing/merging! Sorry I missed the office hours agenda. If anyone is curious, this bug was happening because Registry::call() calls getConnection() on the SQLliteDBInstance, which calls attachVirtualTables() if the db has not previously been initialized. The attachVirtualTables() function then iterates over every table in the registry and calls Registry::call() for each one. So if you add to the list of tables before that first DB initialization happens, that first table will have attachTableInternal() called on it twice.

Bad screenshot of the offending stack trace: Screenshot 2024-01-03 154356

astrocox avatar Feb 27 '24 19:02 astrocox

Thank you so much for contributing the patch!

directionless avatar Feb 28 '24 03:02 directionless

I was having the same issue for moz_bookmarks:

E0301 11:34:47.283597 -640033728 virtual_table.cpp:1115] Error creating named virtual table: firefox_bookmarks (1)

And I was guessing this could be due to the path in the ATC file:

{
  "auto_table_construction": {
    "firefox_bookmarks": {
      "platform": "darwin",
      "query": "SELECT * FROM moz_bookmarks;",
      "path": "/Users/%/Library/Application Support/Firefox/Profiles/%/places.sqlite",
      "columns": [
        "id",
        "type",
        "fk",
        "parent",
        "position",
        "title",
        "keyword_id",
        "folder_type",
        "dateAdded",
        "lastModified",
        "guid",
        "syncStatus",
        "syncChangeCounter"
      ]
    }
}

There are two (or probably more) profiles in the Profiles folder, so here comes the problem. I guess the fix will also be solving this, right?

Thanks!

rotadsr avatar Mar 01 '24 11:03 rotadsr

Heads up, this may have broken something around ATC table creation via plugins. We're still debugging

directionless avatar Apr 19 '24 13:04 directionless