Skip to content

fix(ebpf): avoid panic in UpdateKallsyms on missing dependency nodes#5307

Merged
geyslan merged 1 commit into
aquasecurity:mainfrom
geyslan:fix-panic-updatekallsyms
May 19, 2026
Merged

fix(ebpf): avoid panic in UpdateKallsyms on missing dependency nodes#5307
geyslan merged 1 commit into
aquasecurity:mainfrom
geyslan:fix-panic-updatekallsyms

Conversation

@geyslan
Copy link
Copy Markdown
Member

@geyslan geyslan commented May 19, 2026

1. Explain what the PR does

b734a92 fix(ebpf): avoid panic in UpdateKallsyms on missing dependency nodes

UpdateKallsyms iterated policy-selected event IDs and called GetEvent
without checking errors, so IDs present in the policy manager but absent
from the dependencies tree caused a nil EventNode dereference.

Handle GetEvent errors explicitly: treat ErrNodeNotFound as a no-op for
ksymbol collection, log unexpected errors at debug, and skip nil nodes
defensively.

--

2. Explain how to test it

3. Other comments

@geyslan
fix(ebpf): avoid panic in UpdateKallsyms on missing dependency nodes
b734a92 
UpdateKallsyms iterated policy-selected event IDs and called GetEvent
without checking errors, so IDs present in the policy manager but absent
from the dependencies tree caused a nil EventNode dereference.

Handle GetEvent errors explicitly: treat ErrNodeNotFound as a no-op for
ksymbol collection, log unexpected errors at debug, and skip nil nodes
defensively.
@geyslan geyslan self-assigned this May 19, 2026
@geyslan geyslan requested review from a team, Copilot and yanivagman May 19, 2026 13:58
@geyslan geyslan requested a review from trvll May 19, 2026 13:59
Copilot AI reviewed May 19, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes a potential panic in Tracee’s eBPF kernel-symbols update path by making Tracee.UpdateKallsyms() resilient to policy-selected event IDs that are not present in the events dependencies tree.

Changes:

  • Handle t.eventsDependencies.GetEvent(id) errors instead of ignoring them to avoid nil dereferences.
  • Treat dependencies.ErrNodeNotFound as a no-op for ksymbol collection, and log unexpected errors at debug level.
  • Add a defensive nil check before accessing the returned dependency node.

trvll
trvll approved these changes May 19, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@trvll trvll left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1

@geyslan geyslan merged commit dc98311 into aquasecurity:main May 19, 2026
70 of 73 checks passed
@geyslan geyslan deleted the fix-panic-updatekallsyms branch May 19, 2026 19:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@trvll trvll trvll approved these changes

@yanivagman yanivagman Awaiting requested review from yanivagman yanivagman is a code owner automatically assigned from aquasecurity/tracee-reviewers

Assignees

@geyslan geyslan

Labels

backport-needed/release-v0.24 kind/bug

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@geyslan @trvll