Guy Arbitman
Guy Arbitman

Reputation: 21

cannot read arguements properly from ebpf kprobe

I wrote a simple ebpf program (using libbpf) in which I hooked sendto syscall

libbpf version:

SEC("kprobe/sendto")
int BPF_KPROBE(entry_sendto, int sockfd, char* buf, size_t len)
{
    bpf_printk("libbpf - entry_sendto - 0 %p", ctx);
    bpf_printk("libbpf - entry_sendto - 1 %p", PT_REGS_PARM1(ctx));
    bpf_printk("libbpf - entry_sendto - 2 %p", PT_REGS_PARM2(ctx));
    bpf_printk("libbpf - entry_sendto - 3 %p", PT_REGS_PARM3(ctx));
    bpf_printk("libbpf - entry_sendto - 1 %d", (int)PT_REGS_PARM1(ctx));
    bpf_printk("libbpf - entry_sendto - 2 %s", (char *)PT_REGS_PARM2(ctx));
    bpf_printk("libbpf - entry_sendto - 3 %d", (int)PT_REGS_PARM3(ctx));
    bpf_printk("libbpf - entry_sendto params - 1 %d", sockfd);
    bpf_printk("libbpf - entry_sendto params - 2 %s", buf);
    bpf_printk("libbpf - entry_sendto params - 3 %d", len);
    return 0;
}

bcc version:

int syscall__probe_entry_sendto(struct pt_regs* ctx, int sockfd, char* buf, size_t len, int flags,
                                const struct sockaddr* dest_addr, size_t addrlen) {
    bpf_trace_printk("bcc - entry_sendto - 0 %p", ctx);
    bpf_trace_printk("bcc - entry_sendto - 1 %p", PT_REGS_PARM1(ctx));
    bpf_trace_printk("bcc - entry_sendto - 2 %p", PT_REGS_PARM2(ctx));
    bpf_trace_printk("bcc - entry_sendto - 3 %p", PT_REGS_PARM3(ctx));
    bpf_trace_printk("bcc - entry_sendto - 1 %d", (int)PT_REGS_PARM1(ctx));
    bpf_trace_printk("bcc - entry_sendto - 2 %s", (char *)PT_REGS_PARM2(ctx));
    bpf_trace_printk("bcc - entry_sendto - 3 %d", (int)PT_REGS_PARM3(ctx));
    bpf_trace_printk("bcc - entry_sendto params - 1 %d", sockfd);
    bpf_trace_printk("bcc - entry_sendto params - 2 %s", buf);
    bpf_trace_printk("bcc - entry_sendto params - 3 %d", len);
    return 0;
}

I ran a simple curl request to check the hooks and got the following:

curl-49713   [002] d... 15631.753730: bpf_trace_printk: libbpf - entry_sendto - 0 00000000eca092cd
curl-49713   [002] d... 15631.753731: bpf_trace_printk: libbpf - entry_sendto - 1 00000000bfcdc9b6
curl-49713   [002] d... 15631.753731: bpf_trace_printk: libbpf - entry_sendto - 2 0000000000000000
curl-49713   [002] d... 15631.753731: bpf_trace_printk: libbpf - entry_sendto - 3 ffffffffffffffff
curl-49713   [002] d... 15631.753732: bpf_trace_printk: libbpf - entry_sendto - 1 67403608
curl-49713   [002] d... 15631.753733: bpf_trace_printk: libbpf - entry_sendto - 2 
curl-49713   [002] d... 15631.753734: bpf_trace_printk: libbpf - entry_sendto - 3 -1
curl-49713   [002] d... 15631.753735: bpf_trace_printk: libbpf - entry_sendto params - 1 67403608
curl-49713   [002] d... 15631.753736: bpf_trace_printk: libbpf - entry_sendto params - 2 
curl-49713   [002] d... 15631.753736: bpf_trace_printk: libbpf - entry_sendto params - 3 -1
curl-49713   [002] d... 15631.753737: bpf_trace_printk: bcc - entry_sendto - 0 00000000eca092cd
curl-49713   [002] d... 15631.753737: bpf_trace_printk: bcc - entry_sendto - 1 00000000bfcdc9b6
curl-49713   [002] d... 15631.753738: bpf_trace_printk: bcc - entry_sendto - 2 0000000000000000
curl-49713   [002] d... 15631.753738: bpf_trace_printk: bcc - entry_sendto - 3 ffffffffffffffff
curl-49713   [002] d... 15631.753738: bpf_trace_printk: bcc - entry_sendto - 1 67403608
curl-49713   [002] d... 15631.753739: bpf_trace_printk: bcc - entry_sendto - 2 
curl-49713   [002] d... 15631.753739: bpf_trace_printk: bcc - entry_sendto - 3 -1
curl-49713   [002] d... 15631.753740: bpf_trace_printk: bcc - entry_sendto params - 1 6
curl-49713   [002] d... 15631.753740: bpf_trace_printk: bcc - entry_sendto params - 2 8000
curl-49713   [002] d... 15631.753740: bpf_trace_printk: bcc - entry_sendto params - 3 1

I don't understand how should I read the arguments for the sendto syscal in libbpf. The ctx struct is identical (at least address-wise) between the BCC hook and the libbpf hook.

Do you see anything that I've done wrong? did I miss anything? Any help will be much appreciated!

Upvotes: 2

Views: 817

Answers (1)

kong chen
kong chen

Reputation: 21

If your kernel has enable CONFIG_ARCH_HAS_SYSCALL_WRAPPER, the ctx is wrapped twice. And the bcc specially process the function args: https://github.com/iovisor/bcc/commit/2da34267fcae4485f4e05a17521214749f6f0edd

Upvotes: 1

Related Questions