Skip to content

Commit

Permalink
fix(processors): change args values by name (#3838)
Browse files Browse the repository at this point in the history 
Change all places that change args values in processors to find
arguments by their names instead of index.
This way the order of the arguments received from the kernel shall not
cause bugs.

Co-authored-by: Geyslan Gregório <geyslan@gmail.com>
  • Loading branch information
@AlonZivony @geyslan
AlonZivony and geyslan committed Feb 7, 2024
1 parent f97d875 commit b8f5516
Show file tree
Hide file tree
Showing 2 changed files with 33 additions and 8 deletions.
23 changes: 18 additions & 5 deletions pkg/ebpf/processor_funcs.go
View file
Expand Up @@ -260,7 +260,8 @@ const (

// processHookedProcFops processes a hooked_proc_fops event.
func (t *Tracee) processHookedProcFops(event *trace.Event) error {
fopsAddresses, err := parse.ArgVal[[]uint64](event.Args, "hooked_fops_pointers")
const hookedFopsPointersArgName = "hooked_fops_pointers"
fopsAddresses, err := parse.ArgVal[[]uint64](event.Args, hookedFopsPointersArgName)
if err != nil || fopsAddresses == nil {
return errfmt.Errorf("error parsing hooked_proc_fops args: %v", err)
}
Expand All @@ -282,7 +283,10 @@ func (t *Tracee) processHookedProcFops(event *trace.Event) error {
}
hookedFops = append(hookedFops, trace.HookedSymbolData{SymbolName: functionName, ModuleOwner: hookingFunction.Owner})
}
event.Args[0].Value = hookedFops
err = events.SetArgValue(event, hookedFopsPointersArgName, hookedFops)
if err != nil {
return err
}
return nil
}

Expand Down Expand Up @@ -318,9 +322,18 @@ func (t *Tracee) processPrintMemDump(event *trace.Event) error {
return errfmt.WrapError(err)
}
arch = string(bytes.TrimRight(utsName.Machine[:], "\x00"))
event.Args[4].Value = arch
event.Args[5].Value = symbol.Name
event.Args[6].Value = symbol.Owner
err = events.SetArgValue(event, "arch", arch)
if err != nil {
return err
}
err = events.SetArgValue(event, "symbol_name", symbol.Name)
if err != nil {
return err
}
err = events.SetArgValue(event, "symbol_owner", symbol.Owner)
if err != nil {
return err
}
return nil
}

Expand Down
18 changes: 15 additions & 3 deletions pkg/events/parse_args.go
View file
Expand Up @@ -14,9 +14,12 @@ import (
)

func ParseArgs(event *trace.Event) error {
for i := range event.Args {
if ptr, isUintptr := event.Args[i].Value.(uintptr); isUintptr {
event.Args[i].Value = "0x" + strconv.FormatUint(uint64(ptr), 16)
for _, arg := range event.Args {
if ptr, isUintptr := arg.Value.(uintptr); isUintptr {
err := SetArgValue(event, arg.Name, "0x"+strconv.FormatUint(uint64(ptr), 16))
if err != nil {
return err
}
}
}

Expand Down Expand Up @@ -308,6 +311,15 @@ func GetArg(event *trace.Event, argName string) *trace.Argument {
return nil
}

func SetArgValue(event *trace.Event, argName string, value any) error {
arg := GetArg(event, argName)
if arg == nil {
return fmt.Errorf("event %s has no argument named %s", event.EventName, argName)
}
arg.Value = value
return nil
}

type CustomFunctionArgument struct {
val uint64
str string
Expand Down

0 comments on commit b8f5516

Please sign in to comment.