CODEWITHSUNDEEP
linuxlinux-kernelebpfkprobe
Skallwar
Skallwar

Reputation: 93

Syscall argument in kprobe with wrong value libbpf

I'm trying to use libbpf to trace calls to the kill syscall. Here is my eBPF program:

SEC("kprobe/__x64_sys_kill")
int BPF_KPROBE(__x64_sys_kill, pid_t pid, int sig)
{
    bpf_printk("Pid = %i\n", pid);

    return 0;
}

But for some reason, when I try to read the pid argument, the value is negative. But when using strace on the kill command the value of pid is positive.

$ ping 8.8.8.8 > /dev/null &
[1] 87120
$ strace kill -9 $(pidof ping)
...
kill(87120, SIGKILL)                    = 0
...
[1]+  Killed                  ping 8.8.8.8 > /dev/null

Logs:

bash-83960   [001] d... 42409.690336: bpf_trace_printk: Pid = -1060765864

I can't figure out why the value of the pid argument insde the eBPF program is not the same as the one given by the urserland process

Upvotes: 4

Views: 842

Answers (2)

PPKun
PPKun

Reputation: 1

I'm not sure if you've resolved the issue, but I recently encountered the same problem. While browsing through GitHub, I discovered that the actual registers in kprobe are located at the memory address of the first register obtained.

In other words:

struct pt_regs *ctx;
struct pt_regs *real_regs = PT_REGS_PARM1(ctx);
pid_t pid = real_regs->di;

I hope this helps in addressing the issue.

Upvotes: 0

greybrunix
greybrunix

Reputation: 83

For Syscalls try using "ksyscall/kill"

What happens is your kernel was probably compiled with the flag for wrapping syscalls, you can read more about that in the kernel code.

Upvotes: 0

Related Questions