error while marshaling: string field contains invalid UTF-8

[shollingsworth]

Hello there,

Found a bug with a specific program (an interesting one IMO)

[2021-07-28 16:21:19]  ERR  Invalid rule received, applying default action
[2021-07-28 16:21:19]  WAR  Error while pinging UI service: rpc error: code = Internal desc = grpc: error while marshaling: string field contains invalid UTF-8, state: READY

To Reproduce

• Install the package sqsh (a mssql client) on Ubuntu 20.04
• Connect to a non existent server (in this case localhost)
• OK interaction
  Prompt should popup after typing in password

sqsh -S localhost

• Error interaction

sqsh -S localhost -P foo

Screenshots

OK Interaction

Error Interaction

OS (please complete the following information):

• OS: NAME="Ubuntu" VERSION="20.04.2 LTS (Focal Fossa)"
• Kernel: Linux X 5.10.0-1034-oem 35-Ubuntu SMP Wed Jun 23 09:55:56 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
• Window Manager: KDE

[gustavo-iniguez-goya]

good catch @shollingsworth !

I'll try to reproduce it.

[gustavo-iniguez-goya]

ok, reproduced, even with eBPF.

It's invoked correctly:
execve("/usr/bin/sqsh", ["sqsh", "-S", "localhost", "-P", "sss"], 0x7ffe74bb4da0 /* 58 vars */) = 0

But sqsh rewrites in memory the parameter -P:
https://github.com/vonloxley/sqsh/blob/afd4276e09d5dfdd5873d6db62a81dfeff9eded9/src/sqsh_main.c#L1083

execve("/usr/local/bin/sqsh", ["sqsh", "-S", "localhost", "-\2503/4"], 0x7ffec415d0b8 /* 58 vars */) = -1 ENOENT 
execve("/usr/bin/sqsh", ["sqsh", "-S", "localhost", "-\2503/4"], 0x7ffec415d0b8 /* 58 vars */) = 0

$ cat /proc/10915/cmdline 
sqsh-Slocalhost-�3/4

execsnoop-bpfcc catches correctly the original command line:

PCOMM            PID    PPID   RET ARGS
sqsh             23765  4335     0 /usr/bin/sqsh -S localhost -P sss
sqsh             23765  4335     0 /usr/bin/sqsh -S localhost -�3/4

But when we read the command line of the PID, I can't recover the unmodified parameter. We should get it from kernel space (bpf_probe_read_kernel_str(&data4.path1, sizeof(data4.path1), &task->mm->exe_file->f_path.dentry->d_parent->d_parent->d_name.name);), or if it's not possible due to hit the 512bytes limit, maybe we could workaround it by maintaining a map of new execs.

Rewriting the arguments and name of your own process is a valid and expected operation, so we shouldn't trust what's written to /proc

So far I haven't found a way to workaround this problem. strconv.IsPrint() and utf8.ValidRune() report "�3/4" as valid, while utf8.Valid() reports it as invalid, but also "ááá" ... so any parameters with unicode chars would be rewritten.

[shollingsworth]

Thanks for doing the digging on this @gustavo-iniguez-goya , I'm guessing we can just close this as a one off if there's no easy fix.

[gustavo-iniguez-goya]

I think the best solution will be to encode the parameters. I've got it working but it needs more work to ensure that everything is working properly (note: encode parameters when loading rules).

utf8, graphics and other encodings seems to work fine, so I'll postpone this issue for the next version