Segfault after 5 minutes of no events

[nighttardis]

Running on a low activity test debian 10 system, with a filter for just process creates, and sysmon crashed after 5 minutes of not receiving any events.

Oct 14 20:39:16 lsys sysmon[1641]: Event timeout occurred (no event for 300 seconds). Reloading eBPF...
Oct 14 20:39:17 lsys sysmon[1641]: sedsid() failed.
Oct 14 20:39:17 lsys sysmon[1641]: Could not automatically discover kernel offsets.
Oct 14 20:39:17 lsys sysmon[1641]: Build and run the get_offsets module to generate the offsets config file:
Oct 14 20:39:17 lsys sysmon[1641]: /opt/sysinternalsEBPF/sysinternalsEBPF_offsets.conf
Oct 14 20:39:17 lsys sysmon[1641]: Reloaded eBPF due to event timeout
Oct 14 20:39:17 lsys kernel: [ 3109.759945] sysmon[1672]: segfault at 40 ip 00007fe5c2f867f3 sp 00007ffd73847fc0 error 4 in libsysinternalsEBPF.so[7fe5c2f64000+40000] 
Oct 14 20:39:17 lsys systemd[1]: sysmon.service: Main process exited, code=killed, status=11/SEGV
Oct 14 20:39:17 lsys systemd[1]: sysmon.service: Failed with result 'signal'.

Here's my sysmon config for reference

<Sysmon schemaversion="4.70">
        <EventFiltering>
                <RuleGroup name="" groupRelation="or">
                        <ProcessCreate onmatch="exclude"/>
                </RuleGroup>
        </EventFiltering>
</Sysmon>

[kesheldr]

Sysmon couldn't find the offsets (3rd/4th line of your output). It should have exited at that point but appears to have tried running. After 5 minutes of no events it reloads the eBPF programs and that appears to be the cause of the crash. I will check how that happened, but if you simply make the offsets file as described (/opt/sysinternalsEBPF/getOffsets) then this might solve your problem.

[kesheldr]

Hello. I've just built from source on a fresh Debian 10 system and it seems fine. I'll produce new debs and rpms when I've fixed a few more things.
Can you let me know if you built from source or installed from the debs?
Thanks

[nighttardis]

Sorry, thought I said in my original post, I had installed the debs.

I generated the config and that does seem to have fixed the problem, though I did have to install the kernel headers and libelf-dev in addition to the other requirements mentioned in the README.md in /opt/sysinternalsEBPF/getOffsets.

[kesheldr]

Thanks to @scudette I believe this bug is now fixed - in source only but I will start the process of producing new debs and rpms.

In case you're wondering, when reloading the eBPF programs after a timeout, it incorrectly set restart to false, causing it to rediscover the offsets, which it failed to do, hence the crash. Setting restart to true wasn't enough as the return value was being misunderstood as well, and this is also now fixed.

Thank you for raising this and for your patience in getting it fixed.