Binary seems broken resulting in segmentation fault on invocation (MacOS)
gmaghera opened this issue · 13 comments
The utility throws a segmentation fault on a MacBook Pro (darwin/amd64).
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 9446 100 9446 0 0 33843 0 --:--:-- --:--:-- --:--:-- 34727
alcideio/rbac-tool info checking GitHub for latest tag
alcideio/rbac-tool info found version: 1.13.0 for v1.13.0/darwin/amd64
alcideio/rbac-tool info installed ./bin/rbac-tool
❯ ./bin/rbac-tool version
[1] 20107 segmentation fault ./bin/rbac-tool version
❯ ./bin/rbac-tool help
[1] 20243 segmentation fault ./bin/rbac-tool help
)❯ ./bin/rbac-tool
[1] 20310 segmentation fault ./bin/rbac-tool
@gmaghera thanks - can you send the mac you're running - OS version, CPU, any security agents running etc. - also would be useful if you can share the output of the binary analysis (something like otool -L ./bin/rbac-tool )
@gmaghera - checked it on my macbook pro ... works fine - I'll need more info from you
mymac ~ curl https://raw.githubusercontent.com/alcideio/rbac-tool/master/download.sh | bash ✔ 176 17:10:50
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 9446 100 9446 0 0 12331 0 --:--:-- --:--:-- --:--:-- 12461
alcideio/rbac-tool info checking GitHub for latest tag
alcideio/rbac-tool info found version: 1.13.0 for v1.13.0/darwin/amd64
alcideio/rbac-tool info installed ./bin/rbac-tool
mymac ~ ./bin/rbac-tool ✔ 177 17:10:59
rbac-tool
Usage:
rbac-tool [command]
Available Commands:
analysis Analyze RBAC permissions and highlight overly permissive principals, risky permissions, etc.
auditgen Generate RBAC policy from Kubernetes audit events
bash-completion Generate bash completion. source <(rbac-tool bash-completion)
generate Generate Role or ClusterRole and reduce the use of wildcards
help Help about any command
lookup RBAC Lookup by subject (user/group/serviceaccount) name
policy-rules RBAC List Policy Rules For subject (user/group/serviceaccount) name
show Generate ClusterRole with all available permissions from the target cluster
version Print rbac-tool version
visualize A RBAC visualizer
who-can Shows which subjects have RBAC permissions to perform an action
Flags:
-h, --help help for rbac-tool
-v, --v Level number for the log level verbosity
Use "rbac-tool [command] --help" for more information about a command.
mymac ~ ./bin/rbac-tool version ✔ 178 17:11:08
Version: 1.13.0
Commit: 4d18490f120a9d0415d57333d01ef8c2a30035dd
mymac ~ hostinfo ✔ 179 17:11:13
Mach kernel version:
Darwin Kernel Version 21.6.0: Mon Aug 22 20:17:10 PDT 2022; root:xnu-8020.140.49~2/RELEASE_X86_64
Kernel configured for up to 12 processors.
6 processors are physically available.
12 processors are logically available.
Processor type: x86_64h (Intel x86-64h Haswell)
Processors active: 0 1 2 3 4 5 6 7 8 9 10 11
Primary memory available: 32.00 gigabytes
Default processor set: 556 tasks, 2675 threads, 12 processors
Load average: 5.80, Mach factor: 8.09Hi @gadinaor. Thanks for the attention to this. Pardon not replying earlier. I'd be happy to provide any info I can. Let me get the data together and supply it in another comment.
Otool did not produce any results (unless it's a file it places somewhere):
❯ otool -L ./bin/rbac-tool
./bin/rbac-tool:
~
One of my colleagues with similar big brother software as mine, but on an M1 MBP reports the command running just fine. (mine is Intel)
@gmaghera -:) I am not going to ask which "big brother software" is it - but this is something I've seen in the past - e.g. un-approved binaries are being nuked.
Are you able to build locally and run?
Same issue here, also on amd64 Mac. This didn't seem to be an issue until I updated my version of Mac recently to Ventura. I am able to successfully build and run from source. The resulting binary is different from what I have downloaded, as reported by diff.
If it helps at all here is the diagnostics dump from that segfault:
{"app_name":"rbac-tool","timestamp":"2023-01-11 16:45:43.00 +0000","app_version":"","slice_uuid":"00000000-0000-0000-0000-000000000000","build_version":"","platform":0,"share_with_app_devs":0,"is_first_party":1,"bug_type":"309","os_version":"macOS 13.1 (22C65)","roots_installed":0,"incident_id":"E64FE92E-EC80-4738-A8AC-946B2595CEBC","name":"rbac-tool"}
{
"uptime" : 1300000,
"procRole" : "Unspecified",
"version" : 2,
"userID" : 502,
"deployVersion" : 210,
"modelCode" : "MacBookPro16,1",
"coalitionID" : 915116,
"osVersion" : {
"train" : "macOS 13.1",
"build" : "22C65",
"releaseType" : "User"
},
"captureTime" : "2023-01-11 16:45:43.7840 +0000",
"incident" : "E64FE92E-EC80-4738-A8AC-946B2595CEBC",
"pid" : 23210,
"cpuType" : "X86-64",
"roots_installed" : 0,
"bug_type" : "309",
"procLaunch" : "2023-01-11 16:45:43.1829 +0000",
"procStartAbsTime" : 1391115749720910,
"procExitAbsTime" : 1391116350490202,
"procName" : "rbac-tool",
"procPath" : "\/Users\/USER\/*\/rbac-tool",
"parentProc" : "zsh",
"parentPid" : 54462,
"coalitionName" : "com.googlecode.iterm2",
"crashReporterKey" : "D0152CDA-AD0F-9357-167A-3FD3577CB289",
"responsiblePid" : 96236,
"responsibleProc" : "iTerm2",
"wakeTime" : 26874,
"bridgeVersion" : {"build":"20P2059","train":"7.1"},
"sleepWakeUUID" : "02E313B7-9078-4D77-B26F-B733947E83AD",
"sip" : "enabled",
"vmRegionInfo" : "0x7ff7bff06c14 is not in any region. Bytes after previous region: 27669 Bytes before following region: 1278067692\n REGION TYPE START - END [ VSIZE] PRT\/MAX SHRMOD REGION DETAIL\n Stack 7ff7bf700000-7ff7bff00000 [ 8192K] rw-\/rwx SM=PRV thread 0\n---> GAP OF 0x4c2e3000 BYTES\n unused __TEXT 7ff80c1e3000-7ff8302af000 [576.8M] r-x\/r-x SM=COW ...ed lib __TEXT",
"exception" : {"codes":"0x0000000000000001, 0x00007ff7bff06c14","rawCodes":[1,140702053854228],"type":"EXC_BAD_ACCESS","signal":"SIGSEGV","subtype":"KERN_INVALID_ADDRESS at 0x00007ff7bff06c14"},
"termination" : {"flags":0,"code":11,"namespace":"SIGNAL","indicator":"Segmentation fault: 11","byProc":"exc handler","byPid":23210},
"vmregioninfo" : "0x7ff7bff06c14 is not in any region. Bytes after previous region: 27669 Bytes before following region: 1278067692\n REGION TYPE START - END [ VSIZE] PRT\/MAX SHRMOD REGION DETAIL\n Stack 7ff7bf700000-7ff7bff00000 [ 8192K] rw-\/rwx SM=PRV thread 0\n---> GAP OF 0x4c2e3000 BYTES\n unused __TEXT 7ff80c1e3000-7ff8302af000 [576.8M] r-x\/r-x SM=COW ...ed lib __TEXT",
"extMods" : {"caller":{"thread_create":0,"thread_set_state":0,"task_for_pid":0},"system":{"thread_create":0,"thread_set_state":0,"task_for_pid":0},"targeted":{"thread_create":0,"thread_set_state":0,"task_for_pid":0},"warnings":0},
"usedImages" : [
{
"size" : 0,
"source" : "A",
"base" : 0,
"uuid" : "00000000-0000-0000-0000-000000000000"
}
],
"legacyInfo" : {
"threadHighlighted" : 0
},
"trialInfo" : {
"rollouts" : [
{
"rolloutId" : "62b4513af75dc926494899c6",
"factorPackIds" : {
"COREOS_ICD" : "62fbe3cfa9a700130f60b3ea"
},
"deploymentId" : 240000018
},
{
"rolloutId" : "60356660bbe37970735c5624",
"factorPackIds" : {
},
"deploymentId" : 240000027
}
],
"experiments" : [
]
},
"reportNotes" : [
"_dyld_process_info_create failed with 5",
"dyld_process_snapshot_create_for_process failed with 0",
"Failed to create CSSymbolicatorRef - corpse still valid ¯\\_(ツ)_\/¯",
"thread_get_state(PAGEIN) returned 0x10000003: (ipc\/send) invalid destination port",
"thread_get_state(EXCEPTION) returned 0x10000003: (ipc\/send) invalid destination port",
"thread_get_state(FLAVOR) returned 0x10000003: (ipc\/send) invalid destination port"
]
}
Same issue here for the rbac-tool binary downloaded via bash script and krew.
But the local build binary works fine.
@justdan96 & @mJace - thanks for reporting - it has been pretty hectic - but still looking into this
I upgraded to Ventura 13.1 and I managed to reproduce it on my mac ... so FWIW , I got lab conditions to figure this out
@mJace , @justdan96 , @gmaghera - can you pls check whether the crash is resolved on your machine with v1.14.1 ?
I verified on Darwin Kernel Version 22.3.0: Thu Jan 5 20:53:49 PST 2023; root:xnu-8792.81.2~2/RELEASE_X86_64 x86_64