fix(ebpf): fix hidden_kernel_module error in some kernels (#3797)

On some kernels, while iterating module_kset, we need to check if we've encountered the first module we iterated on, marking we iterated over all modules instead of continuing iterating indefinitely.
aquasecurity · Jan 8, 2024 · f8aa0d6 · f8aa0d6
1 parent 4be97e0
commit f8aa0d6
Showing 1 changed file with 8 additions and 0 deletions.
diff --git a/pkg/ebpf/c/tracee.bpf.c b/pkg/ebpf/c/tracee.bpf.c
@@ -749,6 +749,7 @@ statfunc bool is_hidden(u64 mod)
 statfunc bool find_modules_from_module_kset_list(program_data_t *p)
 {
     char module_kset_sym[12] = "module_kset";
+    struct module *first_mod = NULL;
     struct kset *mod_kset = (struct kset *) get_symbol_addr(module_kset_sym);
     struct list_head *head = &(mod_kset->list);
     struct kobject *pos = list_first_entry_ebpf(head, typeof(*pos), entry);
@@ -770,6 +771,13 @@ statfunc bool find_modules_from_module_kset_list(program_data_t *p)
         if (mod_kobj) {
             struct module *mod = BPF_CORE_READ(mod_kobj, mod);
             if (mod) {
+                if (first_mod == NULL) {
+                    first_mod = mod;
+                } else if (first_mod == mod) { // Iterated over all modules - stop.
+                    finished_iterating = true;
+                    break;
+                }
+
                 if (is_hidden((u64) mod)) {
                     lkm_seeker_send_to_userspace(mod, &flags, p);
                 }