Skip to content

k8saudit-aks: slice bounds out of range error #1059

New issue
New issue
Open
Open
k8saudit-aks: slice bounds out of range error#1059
Labels
kind/bugSomething isn't working
@Caroline132

Description

@Caroline132
Caroline132
opened on Nov 6, 2025

Describe the bug

We got a slice bounds out of range error while running Falco with the k8saudit-aks plugin. This is probably due to the event payload that is malformed/trumcated. The pod kept restarting because it couldn't parse the audit log.

How to reproduce it

Run Falco with the k8saudit-aks plugin and have a malformed audit log.

Expected behaviour

Graciously handle invalid payloads.

Screenshots
Here is are the logs:

Defaulted container "falco" out of: falco, falcoctl-artifact-follow, falcoctl-artifact-install (init)
Thu Nov 06 14:05:58 2025: Falco version: 0.42.0 (x86_64)
Thu Nov 06 14:05:58 2025: Falco initialized with configuration files:
Thu Nov 06 14:05:58 2025:    /etc/falco/falco.yaml | schema validation: ok
Thu Nov 06 14:05:58 2025: System info: Linux version 6.6.104.2-1.azl3 (root@CBL-Mariner) (gcc (GCC) 13.2.0, GNU ld (GNU Binutils) 2.41) #1 SMP PREEMPT_DYNAMIC Tue Sep 23 01:09:49 UTC 2025
Thu Nov 06 14:05:58 2025: [libs]: Cannot read host init process proc root: 13
Thu Nov 06 14:05:58 2025: Loaded plugin 'k8saudit-aks@0.4.0' from file /usr/share/falco/plugins/libk8saudit-aks.so
Thu Nov 06 14:05:58 2025: Loaded plugin 'json@0.7.0' from file /usr/share/falco/plugins/libjson.so
Thu Nov 06 14:05:58 2025: [libs]: Cannot read host init process proc root: 13
Thu Nov 06 14:05:58 2025: [libs]: Cannot read host init process proc root: 13
Thu Nov 06 14:05:58 2025: Loading rules from:
Thu Nov 06 14:05:58 2025:    /etc/falco/k8s_audit_rules.yaml | schema validation: ok
Thu Nov 06 14:05:58 2025:    /etc/falco/rules.d/custom-audit-rules.yaml | schema validation: ok
Thu Nov 06 14:05:58 2025:    /etc/falco/disabled-rules.d/disabled-rules.yaml | schema validation: ok
Thu Nov 06 14:05:58 2025: Hostname value has been overridden via environment variable to: aks-main-97799827-vmss000040
Thu Nov 06 14:05:58 2025: The chosen syscall buffer dimension is: 8388608 bytes (8 MBs)
Thu Nov 06 14:05:58 2025: Starting health webserver with threadiness 4, listening on 0.0.0.0:8765
Thu Nov 06 14:05:58 2025: Setting metrics interval to 1h, equivalent to 3600000 (ms)
Thu Nov 06 14:05:58 2025: Loaded event sources: syscall, k8s_audit
Thu Nov 06 14:05:58 2025: Enabled event sources: k8s_audit
Thu Nov 06 14:05:58 2025: Opening 'k8s_audit' source with plugin 'k8saudit-aks'
Thu Nov 06 14:05:58 2025: [libs]: Trying to open the right engine!
2025/11/06 14:05:58 [k8saudit-aks] opened connection to blob storage
2025/11/06 14:05:58 [k8saudit-aks] opened blob checkpoint connection
2025/11/06 14:05:58 [k8saudit-aks] opened consumer client
2025/11/06 14:05:58 [k8saudit-aks] created eventhub processor
panic: runtime error: slice bounds out of range [32707:16384]

goroutine 20 [running]:
github.com/valyala/fastjson.parseValue({0xc000790000, 0x4000}, 0x3fe1, 0xc0003c1e78?, 0x75f8709d5960?)
        /go/pkg/mod/github.com/geraldcombs/fastjson@v0.0.0-20250801170450-bf39244e60b8/parser.go:121 +0x1155
github.com/valyala/fastjson.parseObject({0xc000790000, 0x4000}, 0x3fd8, 0xc0003c1e78, 0x5)
        /go/pkg/mod/github.com/geraldcombs/fastjson@v0.0.0-20250801170450-bf39244e60b8/parser.go:284 +0x692
github.com/valyala/fastjson.parseValue({0xc000790000, 0x4000}, 0x3fd8, 0xc0003c1938?, 0x75f870a1cb20?)
        /go/pkg/mod/github.com/geraldcombs/fastjson@v0.0.0-20250801170450-bf39244e60b8/parser.go:112 +0xfd7
github.com/valyala/fastjson.parseArray({0xc000790000, 0x4000}, 0x37d9, 0xc0003c1e78, 0x4)
        /go/pkg/mod/github.com/geraldcombs/fastjson@v0.0.0-20250801170450-bf39244e60b8/parser.go:216 +0x425
github.com/valyala/fastjson.parseValue({0xc000790000, 0x4000}, 0x37d9, 0xc0003c1e78?, 0x75f8709d5960?)
        /go/pkg/mod/github.com/geraldcombs/fastjson@v0.0.0-20250801170450-bf39244e60b8/parser.go:119 +0xee7
github.com/valyala/fastjson.parseObject({0xc000790000, 0x4000}, 0x289e, 0xc0003c1e78, 0x3)
        /go/pkg/mod/github.com/geraldcombs/fastjson@v0.0.0-20250801170450-bf39244e60b8/parser.go:284 +0x692
github.com/valyala/fastjson.parseValue({0xc000790000, 0x4000}, 0x289e, 0xc0003c1e78?, 0x75f8709d5960?)
        /go/pkg/mod/github.com/geraldcombs/fastjson@v0.0.0-20250801170450-bf39244e60b8/parser.go:112 +0xfd7
github.com/valyala/fastjson.parseObject({0xc000790000, 0x4000}, 0x49f, 0xc0003c1e78, 0x2)
        /go/pkg/mod/github.com/geraldcombs/fastjson@v0.0.0-20250801170450-bf39244e60b8/parser.go:284 +0x692
github.com/valyala/fastjson.parseValue({0xc000790000, 0x4000}, 0x49f, 0xc0003c1e78?, 0x75f8709d5960?)
        /go/pkg/mod/github.com/geraldcombs/fastjson@v0.0.0-20250801170450-bf39244e60b8/parser.go:112 +0xfd7
github.com/valyala/fastjson.parseObject({0xc000790000, 0x4000}, 0x0, 0xc0003c1e78, 0x1)
        /go/pkg/mod/github.com/geraldcombs/fastjson@v0.0.0-20250801170450-bf39244e60b8/parser.go:284 +0x692
github.com/valyala/fastjson.parseValue({0xc000790000, 0x4000}, 0x0, 0xc0006be240?, 0xc0002421c0?)
        /go/pkg/mod/github.com/geraldcombs/fastjson@v0.0.0-20250801170450-bf39244e60b8/parser.go:112 +0xfd7
github.com/valyala/fastjson.(*Parser).Parse(0xc0003c1e60, {0xc0001e4000, 0x4000})
        /go/pkg/mod/github.com/geraldcombs/fastjson@v0.0.0-20250801170450-bf39244e60b8/parser.go:36 +0x125
github.com/valyala/fastjson.(*Parser).ParseBytes(...)
        /go/pkg/mod/github.com/geraldcombs/fastjson@v0.0.0-20250801170450-bf39244e60b8/parser.go:53
github.com/valyala/fastjson.ParseBytes({0xc0001e4000?, 0x2?, 0x2?})
        /go/pkg/mod/github.com/geraldcombs/fastjson@v0.0.0-20250801170450-bf39244e60b8/handy.go:157 +0x35
github.com/falcosecurity/plugins/plugins/k8saudit/pkg/k8saudit.(*Plugin).ParseAuditEventsPayload(0xc0000cec60, {0xc0001e4000?, 0x0?, 0x0?})
        /go/pkg/mod/github.com/falcosecurity/plugins/plugins/k8saudit@v0.16.0/pkg/k8saudit/source.go:265 +0x26
github.com/falcosecurity/plugins/plugins/k8saudit-aks/pkg/k8sauditaks.(*Plugin).Open.func2()
        /__w/plugins/plugins/plugins/k8saudit-aks/pkg/k8sauditaks/k8sauditaks.go:193 +0x13e
created by github.com/falcosecurity/plugins/plugins/k8saudit-aks/pkg/k8sauditaks.(*Plugin).Open in goroutine 17
        /__w/plugins/plugins/plugins/k8saudit-aks/pkg/k8sauditaks/k8sauditaks.go:185 +0x7df

Environment

  • Falco version:
Thu Nov 06 19:34:24 2025: Falco version: 0.42.0 (x86_64)
Thu Nov 06 19:34:24 2025: Falco initialized with configuration files:
Thu Nov 06 19:34:24 2025:    /etc/falco/falco.yaml | schema validation: ok
Thu Nov 06 19:34:24 2025: System info: Linux version 6.6.104.2-1.azl3 (root@CBL-Mariner) (gcc (GCC) 13.2.0, GNU ld (GNU Binutils) 2.41) #1 SMP PREEMPT_DYNAMIC Tue Sep
 23 01:09:49 UTC 2025
{"default_driver_version":"9.0.0+driver","driver_api_version":"8.0.0","driver_schema_version":"4.0.1","engine_version":"57","engine_version_semver":"0.57.0","falco_ve
rsion":"0.42.0","libs_version":"0.22.1","plugin_api_version":"3.12.0"}
  • System info:
Thu Nov 06 19:37:13 2025: Falco version: 0.42.0 (x86_64)
Thu Nov 06 19:37:13 2025: Falco initialized with configuration files:
Thu Nov 06 19:37:13 2025:    /etc/falco/falco.yaml | schema validation: ok
Thu Nov 06 19:37:13 2025: System info: Linux version 6.6.104.2-1.azl3 (root@CBL-Mariner) (gcc (GCC) 13.2.0, GNU ld (GNU Binutils) 2.41) #1 SMP PREEMPT_DYNAMIC Tue Sep
 23 01:09:49 UTC 2025
Thu Nov 06 19:37:13 2025: [libs]: Cannot read host init process proc root: 13
Thu Nov 06 19:37:13 2025: Loaded plugin 'k8saudit-aks@0.3.0' from file /usr/share/falco/plugins/libk8saudit-aks.so
Thu Nov 06 19:37:13 2025: Loaded plugin 'json@0.7.0' from file /usr/share/falco/plugins/libjson.so
Thu Nov 06 19:37:13 2025: [libs]: Cannot read host init process proc root: 13
Thu Nov 06 19:37:13 2025: [libs]: Cannot read host init process proc root: 13
Thu Nov 06 19:37:13 2025: Loading rules from:
Thu Nov 06 19:37:13 2025:    /etc/falco/k8s_audit_rules.yaml | schema validation: ok
Thu Nov 06 19:37:13 2025:    /etc/falco/rules.d/custom-audit-rules.yaml | schema validation: ok
Thu Nov 06 19:37:13 2025:    /etc/falco/disabled-rules.d/disabled-rules.yaml | schema validation: ok
{
  "machine": "x86_64",
  "nodename": "falco-audit-55b68b98d8-2j4hq",
  "release": "6.6.104.2-1.azl3",
  "sysname": "Linux",
  "version": "#1 SMP PREEMPT_DYNAMIC Tue Sep 23 01:09:49 UTC 2025"
}
  • Cloud provider or hardware configuration: Azure
  • OS:
ID=wolfi
NAME="Wolfi"
PRETTY_NAME="Wolfi"
VERSION_ID="20230201"
HOME_URL="https://wolfi.dev"
BUG_REPORT_URL="https://github.com/wolfi-dev/os/issues"
  • Kernel:

Linux falco-audit-55b68b98d8-2j4hq 6.6.104.2-1.azl3 #1 SMP PREEMPT_DYNAMIC Tue Sep 23 01:09:49 UTC 2025 x86_64 Linux

  • Installation method: Kubernetes

Additional context

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions