From 0a21f8ee4963396b55ad5043df5ea868a61b5397 Mon Sep 17 00:00:00 2001 From: "Lee E. Hinman" Date: Thu, 11 Mar 2021 10:48:01 -0600 Subject: [PATCH 1/2] auditbeat btmp offset check Add check that saved offset is not larger than the current file size to prevent seeking past the end of file --- CHANGELOG.next.asciidoc | 1 + x-pack/auditbeat/module/system/login/utmp.go | 6 +++--- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc index 722fa5da14c..6be6033bf64 100644 --- a/CHANGELOG.next.asciidoc +++ b/CHANGELOG.next.asciidoc @@ -262,6 +262,7 @@ https://github.com/elastic/beats/compare/v7.0.0-alpha2...master[Check the HEAD d - system/socket: Having some CPUs unavailable to Auditbeat could cause startup errors or event loss. {pull}22827[22827] - Note incompatibility of system/socket on ARM. {pull}23381[23381] - system/login: Fixed offset reset on inode reuse. {pull}24414[24414] +- system/login: Add additional offset check for utmp files. {pull}24515[24515] *Filebeat* diff --git a/x-pack/auditbeat/module/system/login/utmp.go b/x-pack/auditbeat/module/system/login/utmp.go index 24263d210cd..611a78fb147 100644 --- a/x-pack/auditbeat/module/system/login/utmp.go +++ b/x-pack/auditbeat/module/system/login/utmp.go @@ -181,14 +181,14 @@ func (r *UtmpFileReader) readNewInFile(loginRecordC chan<- LoginRecord, errorC c size := utmpFile.Size oldSize := savedUtmpFile.Size - if size < oldSize { + if size < oldSize || utmpFile.Offset > size { // UTMP files are append-only and so this is weird. It might be a sign of // a highly unlikely inode reuse - or of something more nefarious. // Setting isKnownFile to false so we read the whole file from the beginning. isKnownFile = false - r.log.Warnf("Unexpectedly, the file %v is smaller than before (new: %v, old: %v) - reading whole file.", - utmpFile.Path, size, oldSize) + r.log.Warnf("saved size or offset illogical (new=%+v, saved=%+v) - reading whole file.", + utmpFile, savedUtmpFile) } if !isKnownFile && size == 0 { From 1c9370fdbb412219326283842dab1285c1bce606 Mon Sep 17 00:00:00 2001 From: "Lee E. Hinman" Date: Sun, 14 Mar 2021 20:35:12 -0500 Subject: [PATCH 2/2] Add additional checks --- x-pack/auditbeat/module/system/login/utmp.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/x-pack/auditbeat/module/system/login/utmp.go b/x-pack/auditbeat/module/system/login/utmp.go index 611a78fb147..273229f051a 100644 --- a/x-pack/auditbeat/module/system/login/utmp.go +++ b/x-pack/auditbeat/module/system/login/utmp.go @@ -221,7 +221,7 @@ func (r *UtmpFileReader) readNewInFile(loginRecordC chan<- LoginRecord, errorC c // This will be the usual case, but we do not want to seek with the stored offset // if the saved size is smaller than the current one. - if size >= oldSize { + if size >= oldSize && utmpFile.Offset <= size { _, err = f.Seek(utmpFile.Offset, 0) if err != nil { errorC <- errors.Wrapf(err, "error setting offset %d for file %v", utmpFile.Offset, utmpFile.Path) @@ -230,7 +230,7 @@ func (r *UtmpFileReader) readNewInFile(loginRecordC chan<- LoginRecord, errorC c // If the saved size is smaller than the current one, or the previous Seek failed, // we retry one more time, this time resetting to the beginning of the file. - if size < oldSize || err != nil { + if size < oldSize || utmpFile.Offset > size || err != nil { _, err = f.Seek(0, 0) if err != nil { errorC <- errors.Wrapf(err, "error setting offset 0 for file %v", utmpFile.Path)