Skip to content

Fix resource leak bug in auditbeat/socket#41080

Merged
fearful-symmetry merged 4 commits intoelastic:mainfrom
fearful-symmetry:socket-map-resource-leak
Oct 4, 2024
Merged

Fix resource leak bug in auditbeat/socket#41080
fearful-symmetry merged 4 commits intoelastic:mainfrom
fearful-symmetry:socket-map-resource-leak

Conversation

@fearful-symmetry
Copy link
Contributor

@fearful-symmetry fearful-symmetry commented Oct 2, 2024

Proposed commit message

This appears to be a long-running resource leak in auditbeat that happens under the following conditions:

  1. We get a fork kretprobe event
  2. auditbeat doesn't know if the return value from the kretprobe the TID for a new thread, or a PID/TID for a new process, but assumes it's a PID/TID that represents a new process.
  3. Auditbeat gets an exit kprobe event when the process/thread exits
  4. only if pid == tid for the given exiting process, it will clean up the process hashmap entry
  5. A thread where pid != tid never gets cleaned up

This slightly alters the logic so if pid != tid && s.processExists(tid), we also clean up the entry for the TID on exit.

Checklist

  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • I have made corresponding change to the default configuration files
  • I have added tests that prove my fix is effective or that my feature works
  • I have added an entry in CHANGELOG.next.asciidoc or CHANGELOG-developer.next.asciidoc.

@fearful-symmetry fearful-symmetry self-assigned this Oct 2, 2024
@fearful-symmetry fearful-symmetry requested a review from a team as a code owner October 2, 2024 16:18
@botelastic botelastic bot added the needs_team Indicates that the issue/PR needs a Team:* label label Oct 2, 2024
@mergify
Copy link
Contributor

mergify bot commented Oct 2, 2024

This pull request does not have a backport label.
If this is a bug or security fix, could you label this PR @fearful-symmetry? 🙏.
For such, you'll need to label your PR with:

  • The upcoming major version of the Elastic Stack
  • The upcoming minor version of the Elastic Stack (if you're not pushing a breaking change)

To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

  • backport-8./d is the label to automatically backport to the 8./d branch. /d is the digit

@mergify
Copy link
Contributor

mergify bot commented Oct 2, 2024

backport-8.x has been added to help with the transition to the new branch 8.x.
If you don't need it please use backport-skip label and remove the backport-8.x label.

@mergify mergify bot added the backport-8.x Automated backport to the 8.x branch with mergify label Oct 2, 2024
@fearful-symmetry fearful-symmetry added Team:Security-Linux Platform Linux Platform Team in Security Solution and removed needs_team Indicates that the issue/PR needs a Team:* label labels Oct 2, 2024
@elasticmachine
Copy link
Contributor

elasticmachine commented Oct 2, 2024

Pinging @elastic/sec-linux-platform (Team:Security-Linux Platform)

haesbaert
haesbaert approved these changes Oct 4, 2024
View reviewed changes
Copy link
Contributor

@haesbaert haesbaert left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for fixing this!

@fearful-symmetry fearful-symmetry merged commit 12e846b into elastic:main Oct 4, 2024
mergify bot pushed a commit that referenced this pull request Oct 4, 2024
@fearful-symmetry @mergify
Fix resource leak bug in auditbeat/socket (#41080)
3b99342 
* fix resource leak bug in auditbeat/socket

* linter..

* linter...

(cherry picked from commit 12e846b)
@mergify mergify bot mentioned this pull request Oct 4, 2024
Merged
6 tasks
fearful-symmetry added a commit that referenced this pull request Oct 14, 2024
@mergify @fearful-symmetry
Fix resource leak bug in auditbeat/socket (#41080) (#41137)
c01af07 
* fix resource leak bug in auditbeat/socket

* linter..

* linter...

(cherry picked from commit 12e846b)

Co-authored-by: Alex K. <8418476+fearful-symmetry@users.noreply.github.com>
@khushijain21 khushijain21 mentioned this pull request Jun 23, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@haesbaert haesbaert haesbaert approved these changes

@nicholasberlin nicholasberlin nicholasberlin approved these changes

Assignees

@fearful-symmetry fearful-symmetry

Labels

backport-8.x Automated backport to the 8.x branch with mergify Team:Security-Linux Platform Linux Platform Team in Security Solution

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@fearful-symmetry @elasticmachine @haesbaert @nicholasberlin

Comments