CB Response: 6.1.9-lnx sensor crash related to duplicate inode entries in the file_process_table cache
search cancel

CB Response: 6.1.9-lnx sensor crash related to duplicate inode entries in the file_process_table cache

book

Article ID: 289138

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

RHEL Linux servers running the Splunkd agent can crash when the CB Response sensor panics because kmem_cache_alloc() returned a bad address.
 

Environment

  • CB Response Server: All Verisons
  • CB Response Sensor: 6.1.9-lnx
  • RHEL Linux OS: All Versions
  • Splunkd agent

Cause

There is a defect where file_process_table cache conflicts can occur, which can possibly lead to data corruption because the sensors is using the inode+pid as a key into a hash, but inode is not guaranteed to be unique across filesystems.

Resolution

This defect, CB-27796, is being resolved in 6.1.11-lnx sensor version.

Additional Information

  • This situation could happen with other products, but the original instance of this issue was determined to be a conflict with the Splunkd process running on all of the RHEL servers.
  • The 6.1.11-lnx is tentatively expected for release around the end of September 2019.
Powered by Wolken Software