SysmonForLinux
SysmonForLinux copied to clipboard
Sysinternals
Memory leaks with sysmon 1.3.7
Describe the bug I'm receiving reports from a sysadmin of Sysmon 1.3.7 leaking memory in the region of 5MB an hour on a number of Ubuntu 22.04 machines.
Following the previous issue #170 I've ran Sysmon from the main branch at commit 8283661 with valgrind for a short period and it does appear to indicate that there are more memory leaks.
To Reproduce
- Install sysmon
- Observe RSS usage increase over time
- Wait for OOM killer or Restart service
Sysmon version 1.3.7
Distro/kernel version Ubuntu 22.04.01 - 6.8.0-1030-gcp
Sysmon configuration The Sysmon configuration when the issue occurred.
Logs Valgrind
==35150== Memcheck, a memory error detector
==35150== Copyright (C) 2002-2022, and GNU GPL'd, by Julian Seward et al.
==35150== Using Valgrind-3.22.0 and LibVEX; rerun with -h for copyright info
==35150== Command: /opt/sysmon/sysmon -i /opt/sysmon/config.xml -service
==35150== Parent PID: 35057
==35150==
==35150== Syscall param bpf(attr->expected_attach_type) points to uninitialised byte(s)
==35150== at 0x4F6D25D: syscall (syscall.S:38)
==35150== by 0x487A876: sys_bpf (bpf.c:75)
==35150== by 0x487A876: sys_bpf_fd (bpf.c:83)
==35150== by 0x487A876: sys_bpf_prog_load (bpf.c:92)
==35150== by 0x487F930: probe_kern_prog_name (libbpf.c:4527)
==35150== by 0x488300E: kernel_supports (libbpf.c:4910)
==35150== by 0x488300E: kernel_supports (libbpf.c:4898)
==35150== by 0x48852AC: bpf_object__create_map (libbpf.c:5034)
==35150== by 0x48903B5: bpf_object__create_maps (libbpf.c:5296)
==35150== by 0x4891692: bpf_object_load (libbpf.c:7738)
==35150== by 0x4891692: bpf_object__load (libbpf.c:7787)
==35150== by 0x48749A5: ebpfStart (telemetryLoader.c:1366)
==35150== by 0x48749A5: ebpfStart (telemetryLoader.c:1303)
==35150== by 0x48750ED: telemetryStart (telemetryLoader.c:1556)
==35150== by 0x17E808: main (sysmonforlinux.c:1681)
==35150== Address 0x1ffeffe9b4 is on thread 1's stack
==35150== in frame #2, created by probe_kern_prog_name (libbpf.c:4510)
==35150==
==35150== Syscall param bpf(attr->prog_ifindex) points to uninitialised byte(s)
==35150== at 0x4F6D25D: syscall (syscall.S:38)
==35150== by 0x487A876: sys_bpf (bpf.c:75)
==35150== by 0x487A876: sys_bpf_fd (bpf.c:83)
==35150== by 0x487A876: sys_bpf_prog_load (bpf.c:92)
==35150== by 0x487F930: probe_kern_prog_name (libbpf.c:4527)
==35150== by 0x488300E: kernel_supports (libbpf.c:4910)
==35150== by 0x488300E: kernel_supports (libbpf.c:4898)
==35150== by 0x48852AC: bpf_object__create_map (libbpf.c:5034)
==35150== by 0x48903B5: bpf_object__create_maps (libbpf.c:5296)
==35150== by 0x4891692: bpf_object_load (libbpf.c:7738)
==35150== by 0x4891692: bpf_object__load (libbpf.c:7787)
==35150== by 0x48749A5: ebpfStart (telemetryLoader.c:1366)
==35150== by 0x48749A5: ebpfStart (telemetryLoader.c:1303)
==35150== by 0x48750ED: telemetryStart (telemetryLoader.c:1556)
==35150== by 0x17E808: main (sysmonforlinux.c:1681)
==35150== Address 0x1ffeffe9b0 is on thread 1's stack
==35150== in frame #2, created by probe_kern_prog_name (libbpf.c:4510)
==35150==
==35150== Syscall param bpf(attr->value) points to uninitialised byte(s)
==35150== at 0x4F6D25D: syscall (syscall.S:38)
==35150== by 0x487B6D1: sys_bpf (bpf.c:75)
==35150== by 0x487B6D1: bpf_map_update_elem (bpf.c:394)
==35150== by 0x4874A76: ebpfStart (telemetryLoader.c:1405)
==35150== by 0x4874A76: ebpfStart (telemetryLoader.c:1303)
==35150== by 0x48750ED: telemetryStart (telemetryLoader.c:1556)
==35150== by 0x17E808: main (sysmonforlinux.c:1681)
==35150== Address 0x1ffeffee84 is on thread 1's stack
==35150== in frame #2, created by ebpfStart (telemetryLoader.c:1314)
==35150==
==35150== Syscall param bpf(attr->value) points to uninitialised byte(s)
==35150== at 0x4F6D25D: syscall (syscall.S:38)
==35150== by 0x487B6D1: sys_bpf (bpf.c:75)
==35150== by 0x487B6D1: bpf_map_update_elem (bpf.c:394)
==35150== by 0x4874AA5: ebpfStart (telemetryLoader.c:1412)
==35150== by 0x4874AA5: ebpfStart (telemetryLoader.c:1303)
==35150== by 0x48750ED: telemetryStart (telemetryLoader.c:1556)
==35150== by 0x17E808: main (sysmonforlinux.c:1681)
==35150== Address 0x1ffeffee84 is on thread 1's stack
==35150== in frame #2, created by ebpfStart (telemetryLoader.c:1314)
==35150==
--35150-- WARNING: unhandled eBPF command 28
--35150-- WARNING: unhandled eBPF command 28
--35150-- WARNING: unhandled eBPF command 28
==35150==
==35150== HEAP SUMMARY:
==35150== in use at exit: 230,146 bytes in 501 blocks
==35150== total heap usage: 630,473 allocs, 629,972 frees, 846,234,225 bytes allocated
==35150==
==35150== 0 bytes in 1 blocks are definitely lost in loss record 1 of 268
==35150== at 0x4846828: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==35150== by 0x1807B8: setConfigFromStoredArgv (sysmonforlinux.c:1070)
==35150== by 0x17DEDE: main (sysmonforlinux.c:1442)
==35150==
==35150== 189,142 bytes in 192 blocks are definitely lost in loss record 268 of 268
==35150== at 0x4846828: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==35150== by 0x1955B4: ProcessCache::ProcessAdd(GUID, SYSMON_EVENT_HEADER*) (eventsCommon.cpp:366)
==35150== by 0x195C41: GenerateUniquePGUID(GUID*, SYSMON_EVENT_HEADER*, bool) (eventsCommon.cpp:499)
==35150== by 0x19738A: EventResolveField (eventsCommon.cpp:1888)
==35150== by 0x197619: EventProcess(SYSMON_EVENT_TYPE_FMT*, SYSMON_DATA_DESCRIPTOR*, SYSMON_EVENT_HEADER*, unsigned long*) (eventsCommon.cpp:2463)
==35150== by 0x198773: DispatchEvent (eventsCommon.cpp:2922)
==35150== by 0x17FE2F: processProcessCreate (sysmonforlinux.c:623)
==35150== by 0x4881B40: perf_buffer__process_record (libbpf.c:11925)
==35150== by 0x4881C93: perf_event_read_simple.constprop.0 (libbpf.c:11553)
==35150== by 0x488FAC1: perf_buffer__process_records (libbpf.c:11947)
==35150== by 0x488FAC1: perf_buffer__poll (libbpf.c:11972)
==35150== by 0x4875199: telemetryStart (telemetryLoader.c:1572)
==35150== by 0x17E808: main (sysmonforlinux.c:1681)
==35150==
==35150== LEAK SUMMARY:
==35150== definitely lost: 189,142 bytes in 193 blocks
==35150== indirectly lost: 0 bytes in 0 blocks
==35150== possibly lost: 0 bytes in 0 blocks
==35150== still reachable: 38,988 bytes in 287 blocks
==35150== suppressed: 0 bytes in 0 blocks
==35150== Reachable blocks (those to which a pointer was found) are not shown.
==35150== To see them, rerun with: --leak-check=full --show-leak-kinds=all
==35150==
==35150== Use --track-origins=yes to see where uninitialised values come from
==35150== For lists of detected and suppressed errors, rerun with: -s
==35150== ERROR SUMMARY: 7 errors from 7 contexts (suppressed: 0 from 0)
Hi - Thanks for reporting this. I'm not able to reproduce the issue. Are you able to run with Valgrind enabled for a longer period of time? The call stack above that is reported as a leak is just our cache and by design.
Thanks @MarioHewardt, I'll get them to run it over the weekend and will report back.
Here's the log as promised.
With my rudimentary knowledge it looks like it's just the cache again and is not necessarily a memory leak.
If that is the case, would it be possible to constrain the size of the cache, or more aggressively flush it? Our admins are convinced they are seeing memory leaks with sysmon due to day on day growth of memory usage, particularly on systems which are quite sensitive to unnecessary swap usage due to processes consuming more than anticipated.
On the system where these logs were obtained, Sysmon memory usage from grew from 45MB to a little over 300MB after 5 days.
Systems running heavier workloads see more aggressive increases from higher starting points and I've seen ps output showing 1-2GB of RSS usage by the sysmon process on those systems.
==134219== Memcheck, a memory error detector
==134219== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==134219== Using Valgrind-3.18.1 and LibVEX; rerun with -h for copyright info
==134219== Command: /opt/sysmon/sysmon -i /opt/sysmon/config.xml -service
==134219== Parent PID: 133454
==134219==
==134219== Syscall param bpf(attr->expected_attach_type) points to uninitialised byte(s)
==134219== at 0x4F0588D: syscall (syscall.S:38)
==134219== by 0x487D876: sys_bpf (bpf.c:75)
==134219== by 0x487D876: sys_bpf_fd (bpf.c:83)
==134219== by 0x487D876: sys_bpf_prog_load (bpf.c:92)
==134219== by 0x4882930: probe_kern_prog_name (libbpf.c:4527)
==134219== by 0x488600E: kernel_supports (libbpf.c:4910)
==134219== by 0x488600E: kernel_supports (libbpf.c:4898)
==134219== by 0x48882AC: bpf_object__create_map (libbpf.c:5034)
==134219== by 0x48933B5: bpf_object__create_maps (libbpf.c:5296)
==134219== by 0x4894692: bpf_object_load (libbpf.c:7738)
==134219== by 0x4894692: bpf_object__load (libbpf.c:7787)
==134219== by 0x48779A5: ebpfStart (telemetryLoader.c:1366)
==134219== by 0x48779A5: ebpfStart (telemetryLoader.c:1303)
==134219== by 0x48780ED: telemetryStart (telemetryLoader.c:1556)
==134219== by 0x17E808: main (sysmonforlinux.c:1681)
==134219== Address 0x1ffeffea54 is on thread 1's stack
==134219== in frame #2, created by probe_kern_prog_name (libbpf.c:4510)
==134219==
==134219== Syscall param bpf(attr->prog_ifindex) points to uninitialised byte(s)
==134219== at 0x4F0588D: syscall (syscall.S:38)
==134219== by 0x487D876: sys_bpf (bpf.c:75)
==134219== by 0x487D876: sys_bpf_fd (bpf.c:83)
==134219== by 0x487D876: sys_bpf_prog_load (bpf.c:92)
==134219== by 0x4882930: probe_kern_prog_name (libbpf.c:4527)
==134219== by 0x488600E: kernel_supports (libbpf.c:4910)
==134219== by 0x488600E: kernel_supports (libbpf.c:4898)
==134219== by 0x48882AC: bpf_object__create_map (libbpf.c:5034)
==134219== by 0x48933B5: bpf_object__create_maps (libbpf.c:5296)
==134219== by 0x4894692: bpf_object_load (libbpf.c:7738)
==134219== by 0x4894692: bpf_object__load (libbpf.c:7787)
==134219== by 0x48779A5: ebpfStart (telemetryLoader.c:1366)
==134219== by 0x48779A5: ebpfStart (telemetryLoader.c:1303)
==134219== by 0x48780ED: telemetryStart (telemetryLoader.c:1556)
==134219== by 0x17E808: main (sysmonforlinux.c:1681)
==134219== Address 0x1ffeffea50 is on thread 1's stack
==134219== in frame #2, created by probe_kern_prog_name (libbpf.c:4510)
==134219==
==134219== Syscall param bpf(attr->value) points to uninitialised byte(s)
==134219== at 0x4F0588D: syscall (syscall.S:38)
==134219== by 0x487E6D1: sys_bpf (bpf.c:75)
==134219== by 0x487E6D1: bpf_map_update_elem (bpf.c:394)
==134219== by 0x4877A76: ebpfStart (telemetryLoader.c:1405)
==134219== by 0x4877A76: ebpfStart (telemetryLoader.c:1303)
==134219== by 0x48780ED: telemetryStart (telemetryLoader.c:1556)
==134219== by 0x17E808: main (sysmonforlinux.c:1681)
==134219== Address 0x1ffeffef24 is on thread 1's stack
==134219== in frame #2, created by ebpfStart (telemetryLoader.c:1314)
==134219==
==134219== Syscall param bpf(attr->value) points to uninitialised byte(s)
==134219== at 0x4F0588D: syscall (syscall.S:38)
==134219== by 0x487E6D1: sys_bpf (bpf.c:75)
==134219== by 0x487E6D1: bpf_map_update_elem (bpf.c:394)
==134219== by 0x4877AA5: ebpfStart (telemetryLoader.c:1412)
==134219== by 0x4877AA5: ebpfStart (telemetryLoader.c:1303)
==134219== by 0x48780ED: telemetryStart (telemetryLoader.c:1556)
==134219== by 0x17E808: main (sysmonforlinux.c:1681)
==134219== Address 0x1ffeffef24 is on thread 1's stack
==134219== in frame #2, created by ebpfStart (telemetryLoader.c:1314)
==134219==
--134219-- WARNING: unhandled eBPF command 28
--134219-- WARNING: unhandled eBPF command 28
--134219-- WARNING: unhandled eBPF command 28
--134219-- WARNING: unhandled eBPF command 28
--134219-- WARNING: unhandled eBPF command 28
--134219-- WARNING: unhandled eBPF command 28
--134219-- WARNING: unhandled eBPF command 28
==134219== Conditional jump or move depends on uninitialised value(s)
==134219== at 0x484ED79: __strlen_sse2 (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==134219== by 0x18362C: strcat (string_fortified.h:128)
==134219== by 0x18362C: LinuxGetFileHash (linuxHelpers.cpp:1003)
==134219== by 0x17F193: telemetryReady (sysmonforlinux.c:208)
==134219== by 0x487811E: telemetryStart (telemetryLoader.c:1567)
==134219== by 0x17E808: main (sysmonforlinux.c:1681)
==134219==
==134219== Syscall param bpf(attr->key) points to uninitialised byte(s)
==134219== at 0x4F0588D: syscall (syscall.S:38)
==134219== by 0x487E761: sys_bpf (bpf.c:75)
==134219== by 0x487E761: bpf_map_lookup_elem (bpf.c:409)
==134219== by 0x48775A6: telemetryMapLookupElem (telemetryLoader.c:1193)
==134219== by 0x186383: NetworkTracker::SeenUdp(PacketAddresses const*, int) (networkTracker.cpp:737)
==134219== by 0x18662F: NetworkTrackerSeenUdpSend (networkTracker.cpp:925)
==134219== by 0x17F7BF: processNetworkEvent (sysmonforlinux.c:386)
==134219== by 0x4884B40: perf_buffer__process_record (libbpf.c:11925)
==134219== by 0x4884C93: perf_event_read_simple.constprop.0 (libbpf.c:11553)
==134219== by 0x4892AC1: perf_buffer__process_records (libbpf.c:11947)
==134219== by 0x4892AC1: perf_buffer__poll (libbpf.c:11972)
==134219== by 0x4878199: telemetryStart (telemetryLoader.c:1572)
==134219== by 0x17E808: main (sysmonforlinux.c:1681)
==134219== Address 0x1ffeffedf5 is on thread 1's stack
==134219== in frame #3, created by NetworkTracker::SeenUdp(PacketAddresses const*, int) (networkTracker.cpp:718)
==134219==
==134219== Syscall param bpf(attr->key) points to uninitialised byte(s)
==134219== at 0x4F0588D: syscall (syscall.S:38)
==134219== by 0x487E761: sys_bpf (bpf.c:75)
==134219== by 0x487E761: bpf_map_lookup_elem (bpf.c:409)
==134219== by 0x48775A6: telemetryMapLookupElem (telemetryLoader.c:1193)
==134219== by 0x185DD5: NetworkTracker::PurgeUdp(long) (networkTracker.cpp:441)
==134219== by 0x186429: NetworkTracker::SeenUdp(PacketAddresses const*, int) (networkTracker.cpp:784)
==134219== by 0x18662F: NetworkTrackerSeenUdpSend (networkTracker.cpp:925)
==134219== by 0x17F7BF: processNetworkEvent (sysmonforlinux.c:386)
==134219== by 0x4884B40: perf_buffer__process_record (libbpf.c:11925)
==134219== by 0x4884C93: perf_event_read_simple.constprop.0 (libbpf.c:11553)
==134219== by 0x4892AC1: perf_buffer__process_records (libbpf.c:11947)
==134219== by 0x4892AC1: perf_buffer__poll (libbpf.c:11972)
==134219== by 0x4878199: telemetryStart (telemetryLoader.c:1572)
==134219== by 0x17E808: main (sysmonforlinux.c:1681)
==134219== Address 0x5478881d is 45 bytes inside a block of size 80 alloc'd
==134219== at 0x4849013: operator new(unsigned long) (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==134219== by 0x187A90: allocate (new_allocator.h:114)
==134219== by 0x187A90: allocate (alloc_traits.h:443)
==134219== by 0x187A90: _M_get_node (stl_tree.h:580)
==134219== by 0x187A90: _M_create_node<long int&, packetAddrs&> (stl_tree.h:630)
==134219== by 0x187A90: std::pair<std::_Rb_tree_iterator<std::pair<long const, packetAddrs> >, bool> std::_Rb_tree<long, std::pair<long const, packetAddrs>, std::_Select1st<std::pair<long const, packetAddrs> >, std::less<long>, std::allocator<std::pair<long const, packetAddrs> > >::_M_emplace_unique<long&, packetAddrs&>(long&, packetAddrs&) (stl_tree.h:2413)
==134219== by 0x18641C: emplace<long int&, packetAddrs&> (stl_map.h:575)
==134219== by 0x18641C: NetworkTracker::SeenUdp(PacketAddresses const*, int) (networkTracker.cpp:783)
==134219== by 0x18662F: NetworkTrackerSeenUdpSend (networkTracker.cpp:925)
==134219== by 0x17F7BF: processNetworkEvent (sysmonforlinux.c:386)
==134219== by 0x4884B40: perf_buffer__process_record (libbpf.c:11925)
==134219== by 0x4884C93: perf_event_read_simple.constprop.0 (libbpf.c:11553)
==134219== by 0x4892AC1: perf_buffer__process_records (libbpf.c:11947)
==134219== by 0x4892AC1: perf_buffer__poll (libbpf.c:11972)
==134219== by 0x4878199: telemetryStart (telemetryLoader.c:1572)
==134219== by 0x17E808: main (sysmonforlinux.c:1681)
==134219==
==134219== Syscall param bpf(attr->key) points to uninitialised byte(s)
==134219== at 0x4F0588D: syscall (syscall.S:38)
==134219== by 0x487E999: sys_bpf (bpf.c:75)
==134219== by 0x487E999: bpf_map_delete_elem (bpf.c:470)
==134219== by 0x4877681: telemetryMapDeleteElem (telemetryLoader.c:1239)
==134219== by 0x185D3A: NetworkTracker::PurgeUdp(long) (networkTracker.cpp:446)
==134219== by 0x186429: NetworkTracker::SeenUdp(PacketAddresses const*, int) (networkTracker.cpp:784)
==134219== by 0x18662F: NetworkTrackerSeenUdpSend (networkTracker.cpp:925)
==134219== by 0x17F7BF: processNetworkEvent (sysmonforlinux.c:386)
==134219== by 0x4884B40: perf_buffer__process_record (libbpf.c:11925)
==134219== by 0x4884C93: perf_event_read_simple.constprop.0 (libbpf.c:11553)
==134219== by 0x4892AC1: perf_buffer__process_records (libbpf.c:11947)
==134219== by 0x4892AC1: perf_buffer__poll (libbpf.c:11972)
==134219== by 0x4878199: telemetryStart (telemetryLoader.c:1572)
==134219== by 0x17E808: main (sysmonforlinux.c:1681)
==134219== Address 0x7b8367d is 45 bytes inside a block of size 80 alloc'd
==134219== at 0x4849013: operator new(unsigned long) (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==134219== by 0x187A90: allocate (new_allocator.h:114)
==134219== by 0x187A90: allocate (alloc_traits.h:443)
==134219== by 0x187A90: _M_get_node (stl_tree.h:580)
==134219== by 0x187A90: _M_create_node<long int&, packetAddrs&> (stl_tree.h:630)
==134219== by 0x187A90: std::pair<std::_Rb_tree_iterator<std::pair<long const, packetAddrs> >, bool> std::_Rb_tree<long, std::pair<long const, packetAddrs>, std::_Select1st<std::pair<long const, packetAddrs> >, std::less<long>, std::allocator<std::pair<long const, packetAddrs> > >::_M_emplace_unique<long&, packetAddrs&>(long&, packetAddrs&) (stl_tree.h:2413)
==134219== by 0x18641C: emplace<long int&, packetAddrs&> (stl_map.h:575)
==134219== by 0x18641C: NetworkTracker::SeenUdp(PacketAddresses const*, int) (networkTracker.cpp:783)
==134219== by 0x18662F: NetworkTrackerSeenUdpSend (networkTracker.cpp:925)
==134219== by 0x17F7BF: processNetworkEvent (sysmonforlinux.c:386)
==134219== by 0x4884B40: perf_buffer__process_record (libbpf.c:11925)
==134219== by 0x4884C93: perf_event_read_simple.constprop.0 (libbpf.c:11553)
==134219== by 0x4892AC1: perf_buffer__process_records (libbpf.c:11947)
==134219== by 0x4892AC1: perf_buffer__poll (libbpf.c:11972)
==134219== by 0x4878199: telemetryStart (telemetryLoader.c:1572)
==134219== by 0x17E808: main (sysmonforlinux.c:1681)
==134219==
==134219== Syscall param bpf(attr->key) points to uninitialised byte(s)
==134219== at 0x4F0588D: syscall (syscall.S:38)
==134219== by 0x487E6D1: sys_bpf (bpf.c:75)
==134219== by 0x487E6D1: bpf_map_update_elem (bpf.c:394)
==134219== by 0x4877620: telemetryMapUpdateElem (telemetryLoader.c:1222)
==134219== by 0x186511: NetworkTracker::SeenUdp(PacketAddresses const*, int) (networkTracker.cpp:776)
==134219== by 0x18662F: NetworkTrackerSeenUdpSend (networkTracker.cpp:925)
==134219== by 0x17F7BF: processNetworkEvent (sysmonforlinux.c:386)
==134219== by 0x4884B40: perf_buffer__process_record (libbpf.c:11925)
==134219== by 0x4884C93: perf_event_read_simple.constprop.0 (libbpf.c:11553)
==134219== by 0x4892AC1: perf_buffer__process_records (libbpf.c:11947)
==134219== by 0x4892AC1: perf_buffer__poll (libbpf.c:11972)
==134219== by 0x4878199: telemetryStart (telemetryLoader.c:1572)
==134219== by 0x17E808: main (sysmonforlinux.c:1681)
==134219== Address 0x1ffeffedf5 is on thread 1's stack
==134219== in frame #3, created by NetworkTracker::SeenUdp(PacketAddresses const*, int) (networkTracker.cpp:718)
==134219==
==134219== Syscall param bpf(attr->key) points to uninitialised byte(s)
==134219== at 0x4F0588D: syscall (syscall.S:38)
==134219== by 0x487E999: sys_bpf (bpf.c:75)
==134219== by 0x487E999: bpf_map_delete_elem (bpf.c:470)
==134219== by 0x4877681: telemetryMapDeleteElem (telemetryLoader.c:1239)
==134219== by 0x18432C: NetworkTracker::UdpProgramTermination(int) (networkTracker.cpp:826)
==134219== by 0x1801AE: handleEvent (sysmonforlinux.c:725)
==134219== by 0x4884B40: perf_buffer__process_record (libbpf.c:11925)
==134219== by 0x4884C93: perf_event_read_simple.constprop.0 (libbpf.c:11553)
==134219== by 0x4892AC1: perf_buffer__process_records (libbpf.c:11947)
==134219== by 0x4892AC1: perf_buffer__poll (libbpf.c:11972)
==134219== by 0x4878199: telemetryStart (telemetryLoader.c:1572)
==134219== by 0x17E808: main (sysmonforlinux.c:1681)
==134219== Address 0x74b48ed is 45 bytes inside a block of size 80 alloc'd
==134219== at 0x4849013: operator new(unsigned long) (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==134219== by 0x187A90: allocate (new_allocator.h:114)
==134219== by 0x187A90: allocate (alloc_traits.h:443)
==134219== by 0x187A90: _M_get_node (stl_tree.h:580)
==134219== by 0x187A90: _M_create_node<long int&, packetAddrs&> (stl_tree.h:630)
==134219== by 0x187A90: std::pair<std::_Rb_tree_iterator<std::pair<long const, packetAddrs> >, bool> std::_Rb_tree<long, std::pair<long const, packetAddrs>, std::_Select1st<std::pair<long const, packetAddrs> >, std::less<long>, std::allocator<std::pair<long const, packetAddrs> > >::_M_emplace_unique<long&, packetAddrs&>(long&, packetAddrs&) (stl_tree.h:2413)
==134219== by 0x18641C: emplace<long int&, packetAddrs&> (stl_map.h:575)
==134219== by 0x18641C: NetworkTracker::SeenUdp(PacketAddresses const*, int) (networkTracker.cpp:783)
==134219== by 0x18662F: NetworkTrackerSeenUdpSend (networkTracker.cpp:925)
==134219== by 0x17F7BF: processNetworkEvent (sysmonforlinux.c:386)
==134219== by 0x4884B40: perf_buffer__process_record (libbpf.c:11925)
==134219== by 0x4884C93: perf_event_read_simple.constprop.0 (libbpf.c:11553)
==134219== by 0x4892AC1: perf_buffer__process_records (libbpf.c:11947)
==134219== by 0x4892AC1: perf_buffer__poll (libbpf.c:11972)
==134219== by 0x4878199: telemetryStart (telemetryLoader.c:1572)
==134219== by 0x17E808: main (sysmonforlinux.c:1681)
==134219==
==134219== Syscall param bpf(attr->key) points to uninitialised byte(s)
==134219== at 0x4F0588D: syscall (syscall.S:38)
==134219== by 0x487E6D1: sys_bpf (bpf.c:75)
==134219== by 0x487E6D1: bpf_map_update_elem (bpf.c:394)
==134219== by 0x4877620: telemetryMapUpdateElem (telemetryLoader.c:1222)
==134219== by 0x1863E3: NetworkTracker::SeenUdp(PacketAddresses const*, int) (networkTracker.cpp:768)
==134219== by 0x18662F: NetworkTrackerSeenUdpSend (networkTracker.cpp:925)
==134219== by 0x17F7BF: processNetworkEvent (sysmonforlinux.c:386)
==134219== by 0x4884B40: perf_buffer__process_record (libbpf.c:11925)
==134219== by 0x4884C93: perf_event_read_simple.constprop.0 (libbpf.c:11553)
==134219== by 0x4892AC1: perf_buffer__process_records (libbpf.c:11947)
==134219== by 0x4892AC1: perf_buffer__poll (libbpf.c:11972)
==134219== by 0x4878199: telemetryStart (telemetryLoader.c:1572)
==134219== by 0x17E808: main (sysmonforlinux.c:1681)
==134219== Address 0x1ffeffedf5 is on thread 1's stack
==134219== in frame #3, created by NetworkTracker::SeenUdp(PacketAddresses const*, int) (networkTracker.cpp:718)
==134219==
==134219==
==134219== HEAP SUMMARY:
==134219== in use at exit: 2,070,837 bytes in 16,976 blocks
==134219== total heap usage: 36,256,154 allocs, 36,239,178 frees, 32,334,854,013 bytes allocated
==134219==
==134219== 697 bytes in 4 blocks are possibly lost in loss record 264 of 290
==134219== at 0x4848899: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==134219== by 0x1955B4: ProcessCache::ProcessAdd(GUID, SYSMON_EVENT_HEADER*) (eventsCommon.cpp:366)
==134219== by 0x195C41: GenerateUniquePGUID(GUID*, SYSMON_EVENT_HEADER*, bool) (eventsCommon.cpp:499)
==134219== by 0x19738A: EventResolveField (eventsCommon.cpp:1888)
==134219== by 0x197619: EventProcess(SYSMON_EVENT_TYPE_FMT*, SYSMON_DATA_DESCRIPTOR*, SYSMON_EVENT_HEADER*, unsigned long*) (eventsCommon.cpp:2463)
==134219== by 0x198773: DispatchEvent (eventsCommon.cpp:2922)
==134219== by 0x17FE2F: processProcessCreate (sysmonforlinux.c:623)
==134219== by 0x4884B40: perf_buffer__process_record (libbpf.c:11925)
==134219== by 0x4884C93: perf_event_read_simple.constprop.0 (libbpf.c:11553)
==134219== by 0x4892AC1: perf_buffer__process_records (libbpf.c:11947)
==134219== by 0x4892AC1: perf_buffer__poll (libbpf.c:11972)
==134219== by 0x4878199: telemetryStart (telemetryLoader.c:1572)
==134219== by 0x17E808: main (sysmonforlinux.c:1681)
==134219==
==134219== 1,222 bytes in 4 blocks are possibly lost in loss record 268 of 290
==134219== at 0x4848899: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==134219== by 0x1955B4: ProcessCache::ProcessAdd(GUID, SYSMON_EVENT_HEADER*) (eventsCommon.cpp:366)
==134219== by 0x195C41: GenerateUniquePGUID(GUID*, SYSMON_EVENT_HEADER*, bool) (eventsCommon.cpp:499)
==134219== by 0x19738A: EventResolveField (eventsCommon.cpp:1888)
==134219== by 0x197BD3: EventProcess(SYSMON_EVENT_TYPE_FMT*, SYSMON_DATA_DESCRIPTOR*, SYSMON_EVENT_HEADER*, unsigned long*) (eventsCommon.cpp:2385)
==134219== by 0x198773: DispatchEvent (eventsCommon.cpp:2922)
==134219== by 0x17FE2F: processProcessCreate (sysmonforlinux.c:623)
==134219== by 0x4884B40: perf_buffer__process_record (libbpf.c:11925)
==134219== by 0x4884C93: perf_event_read_simple.constprop.0 (libbpf.c:11553)
==134219== by 0x4892AC1: perf_buffer__process_records (libbpf.c:11947)
==134219== by 0x4892AC1: perf_buffer__poll (libbpf.c:11972)
==134219== by 0x4878199: telemetryStart (telemetryLoader.c:1572)
==134219== by 0x17E808: main (sysmonforlinux.c:1681)
==134219==
==134219== 1,337 bytes in 20 blocks are definitely lost in loss record 269 of 290
==134219== at 0x4848899: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==134219== by 0x49A97B2: xmlStrdup (in /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.13)
==134219== by 0x18FDA4: ApplyConfigurationFile (xml.cpp:1788)
==134219== by 0x18CD96: ParseCommandLine (parsecommandline.c:868)
==134219== by 0x17DBE6: main (sysmonforlinux.c:1240)
==134219==
==134219== 1,337 bytes in 20 blocks are definitely lost in loss record 270 of 290
==134219== at 0x4848899: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==134219== by 0x49A97B2: xmlStrdup (in /usr/lib/x86_64-linux-gnu/libxml2.so.2.9.13)
==134219== by 0x18FDA4: ApplyConfigurationFile (xml.cpp:1788)
==134219== by 0x18CD96: ParseCommandLine (parsecommandline.c:868)
==134219== by 0x18074E: setConfigFromStoredArgv (sysmonforlinux.c:1016)
==134219== by 0x17DEDE: main (sysmonforlinux.c:1442)
==134219==
==134219== 473,760 bytes in 3,204 blocks are definitely lost in loss record 289 of 290
==134219== at 0x4848899: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==134219== by 0x1955B4: ProcessCache::ProcessAdd(GUID, SYSMON_EVENT_HEADER*) (eventsCommon.cpp:366)
==134219== by 0x195C41: GenerateUniquePGUID(GUID*, SYSMON_EVENT_HEADER*, bool) (eventsCommon.cpp:499)
==134219== by 0x19738A: EventResolveField (eventsCommon.cpp:1888)
==134219== by 0x197BD3: EventProcess(SYSMON_EVENT_TYPE_FMT*, SYSMON_DATA_DESCRIPTOR*, SYSMON_EVENT_HEADER*, unsigned long*) (eventsCommon.cpp:2385)
==134219== by 0x198773: DispatchEvent (eventsCommon.cpp:2922)
==134219== by 0x17FE2F: processProcessCreate (sysmonforlinux.c:623)
==134219== by 0x4884B40: perf_buffer__process_record (libbpf.c:11925)
==134219== by 0x4884C93: perf_event_read_simple.constprop.0 (libbpf.c:11553)
==134219== by 0x4892AC1: perf_buffer__process_records (libbpf.c:11947)
==134219== by 0x4892AC1: perf_buffer__poll (libbpf.c:11972)
==134219== by 0x4878199: telemetryStart (telemetryLoader.c:1572)
==134219== by 0x17E808: main (sysmonforlinux.c:1681)
==134219==
==134219== 1,025,798 bytes in 4,366 blocks are definitely lost in loss record 290 of 290
==134219== at 0x4848899: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==134219== by 0x1955B4: ProcessCache::ProcessAdd(GUID, SYSMON_EVENT_HEADER*) (eventsCommon.cpp:366)
==134219== by 0x195C41: GenerateUniquePGUID(GUID*, SYSMON_EVENT_HEADER*, bool) (eventsCommon.cpp:499)
==134219== by 0x19738A: EventResolveField (eventsCommon.cpp:1888)
==134219== by 0x197619: EventProcess(SYSMON_EVENT_TYPE_FMT*, SYSMON_DATA_DESCRIPTOR*, SYSMON_EVENT_HEADER*, unsigned long*) (eventsCommon.cpp:2463)
==134219== by 0x198773: DispatchEvent (eventsCommon.cpp:2922)
==134219== by 0x17FE2F: processProcessCreate (sysmonforlinux.c:623)
==134219== by 0x4884B40: perf_buffer__process_record (libbpf.c:11925)
==134219== by 0x4884C93: perf_event_read_simple.constprop.0 (libbpf.c:11553)
==134219== by 0x4892AC1: perf_buffer__process_records (libbpf.c:11947)
==134219== by 0x4892AC1: perf_buffer__poll (libbpf.c:11972)
==134219== by 0x4878199: telemetryStart (telemetryLoader.c:1572)
==134219== by 0x17E808: main (sysmonforlinux.c:1681)
==134219==
==134219== LEAK SUMMARY:
==134219== definitely lost: 1,502,232 bytes in 7,610 blocks
==134219== indirectly lost: 0 bytes in 0 blocks
==134219== possibly lost: 1,919 bytes in 8 blocks
==134219== still reachable: 564,670 bytes in 9,337 blocks
==134219== suppressed: 0 bytes in 0 blocks
==134219== Reachable blocks (those to which a pointer was found) are not shown.
==134219== To see them, rerun with: --leak-check=full --show-leak-kinds=all
==134219==
==134219== Use --track-origins=yes to see where uninitialised values come from
==134219== For lists of detected and suppressed errors, rerun with: -s
==134219== ERROR SUMMARY: 1750 errors from 18 contexts (suppressed: 0 from 0)