From 04c467e6499d2125d1886dbbcc5a16e8a1ba0ad5 Mon Sep 17 00:00:00 2001
From: RoiKol <roi.kol@aquasec.com>
Date: Tue, 22 Aug 2023 19:07:25 +0300
Subject: [PATCH] fix: capture of writev

handle io_vec correctly to fix capture of writev syscalls
---
 pkg/ebpf/c/common/filesystem.h |  5 +++++
 pkg/ebpf/c/tracee.bpf.c        | 11 ++++++-----
 2 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/pkg/ebpf/c/common/filesystem.h b/pkg/ebpf/c/common/filesystem.h
index d7b8d212eb4..f909fb479a6 100644
--- a/pkg/ebpf/c/common/filesystem.h
+++ b/pkg/ebpf/c/common/filesystem.h
@@ -412,7 +412,12 @@ statfunc void fill_vfs_file_bin_args_io_data(io_data_t io_data, bin_args_t *bin_
 {
     bin_args->ptr = io_data.ptr;
     bin_args->full_size = io_data.len;
+
+    // handle case of write using iovec
     if (!io_data.is_buf && io_data.len > 0) {
+        bin_args->vec = io_data.ptr;
+        bin_args->iov_len = io_data.len;
+        bin_args->iov_idx = 0;
         struct iovec io_vec;
         bpf_probe_read(&io_vec, sizeof(struct iovec), &bin_args->vec[0]);
         bin_args->ptr = io_vec.iov_base;
diff --git a/pkg/ebpf/c/tracee.bpf.c b/pkg/ebpf/c/tracee.bpf.c
index 35900cb8d47..11a2b2ac584 100644
--- a/pkg/ebpf/c/tracee.bpf.c
+++ b/pkg/ebpf/c/tracee.bpf.c
@@ -2615,6 +2615,7 @@ statfunc u32 send_bin_helper(void *ctx, void *prog_array, int tail_call)
         bin_args->iov_idx++;
         if (bin_args->iov_idx < bin_args->iov_len) {
             // Handle the rest of write recursively
+            bin_args->start_off += bin_args->full_size;
             struct iovec io_vec;
             bpf_probe_read(&io_vec, sizeof(struct iovec), &bin_args->vec[bin_args->iov_idx]);
             bin_args->ptr = io_vec.iov_base;
@@ -2697,6 +2698,7 @@ statfunc u32 send_bin_helper(void *ctx, void *prog_array, int tail_call)
     bin_args->iov_idx++;
     if (bin_args->iov_idx < bin_args->iov_len) {
         // Handle the rest of write recursively
+        bin_args->start_off += bin_args->full_size;
         struct iovec io_vec;
         bpf_probe_read(&io_vec, sizeof(struct iovec), &bin_args->vec[bin_args->iov_idx]);
         bin_args->ptr = io_vec.iov_base;
@@ -2844,11 +2846,11 @@ extract_vfs_ret_io_data(struct pt_regs *ctx, args_t *saved_args, io_data_t *io_d
 {
     io_data->is_buf = is_buf;
     if (is_buf) {
-        io_data->ptr = (void *) saved_args->args[1];
-        io_data->len = (size_t) PT_REGS_RC(ctx);
+        io_data->ptr = (void *) saved_args->args[1]; // pointer to buf
+        io_data->len = (size_t) PT_REGS_RC(ctx);     // number of bytes written to buf
     } else {
-        io_data->ptr = (struct iovec *) saved_args->args[1];
-        io_data->len = saved_args->args[2];
+        io_data->ptr = (struct iovec *) saved_args->args[1]; // pointer to iovec array
+        io_data->len = saved_args->args[2];                  // number of iovec elements in array
     }
 }
 
@@ -2906,7 +2908,6 @@ statfunc int capture_file_write(struct pt_regs *ctx, u32 event_id, bool is_buf)
     }
 
     bin_args_t bin_args = {};
-    u64 id = bpf_get_current_pid_tgid();
     fill_vfs_file_bin_args(SEND_VFS_WRITE, file, pos, io_data, PT_REGS_RC(ctx), pid, &bin_args);
 
     // Send file data