fix: possible overwrite of args on Derive

aquasecurity · Oct 9, 2024 · a0de6c0 · a0de6c0
1 parent c00b2b6
commit a0de6c0
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 3 deletions.
diff --git a/pkg/ebpf/events_pipeline.go b/pkg/ebpf/events_pipeline.go
@@ -4,6 +4,7 @@ import (
 	"bytes"
 	"context"
 	"encoding/binary"
+	"slices"
 	"strconv"
 	"sync"
 	"unsafe"
@@ -536,10 +537,13 @@ func (t *Tracee) deriveEvents(ctx context.Context, in <-chan *trace.Event) (
 				// acting on the derived event.
 
 				eventCopy := *event
+				// shallow clone the event arguments before parsing them (new slice is created),
+				// to keep the eventCopy with raw arguments.
+				argsCopy := slices.Clone(event.Args)
 				out <- event
 
 				// Note: event is being derived before any of its args are parsed.
-				derivatives, errors := t.eventDerivations.DeriveEvent(eventCopy)
+				derivatives, errors := t.eventDerivations.DeriveEvent(eventCopy, argsCopy)
 
 				for _, err := range errors {
 					t.handleError(err)

diff --git a/pkg/events/derive/derive.go b/pkg/events/derive/derive.go
@@ -1,6 +1,8 @@
 package derive
 
 import (
+	"slices"
+
 	"github.com/aquasecurity/tracee/pkg/events"
 	"github.com/aquasecurity/tracee/types/trace"
 )
@@ -41,12 +43,15 @@ func (t Table) Register(deriveFrom, deriveTo events.ID, deriveCondition func() b
 }
 
 // DeriveEvent takes a trace.Event and checks if it can derive additional events from it as defined by a derivationTable.
-func (t Table) DeriveEvent(event trace.Event) ([]trace.Event, []error) {
+func (t Table) DeriveEvent(event trace.Event, origArgs []trace.Argument) ([]trace.Event, []error) {
 	derivatives := []trace.Event{}
 	errors := []error{}
 	deriveFns := t[events.ID(event.EventID)]
 	for id, deriveFn := range deriveFns {
 		if deriveFn.Enabled() {
+			// at each derivation, we need to clone the original arguments
+			// since they might be modified by the derivation function.
+			event.Args = slices.Clone(origArgs)
 			derivative, errs := deriveFn.DeriveFunction(event)
 			for _, err := range errs {
 				errors = append(errors, deriveError(id, err))

diff --git a/pkg/events/derive/derive_test.go b/pkg/events/derive/derive_test.go
@@ -2,6 +2,7 @@ package derive
 
 import (
 	"fmt"
+	"slices"
 	"testing"
 
 	"github.com/stretchr/testify/assert"
@@ -74,7 +75,8 @@ func Test_DeriveEvent(t *testing.T) {
 		t.Run(tc.name, func(t *testing.T) {
 			t.Parallel()
 
-			derived, errors := mockDerivationTable.DeriveEvent(tc.event)
+			argsCopy := slices.Clone(tc.event.Args)
+			derived, errors := mockDerivationTable.DeriveEvent(tc.event, argsCopy)
 			assert.Equal(t, tc.expectedDerived, derived)
 			assert.Equal(t, tc.expectedErrors, errors)
 		})