Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: capture of writev #3413

Merged
merged 1 commit into from Sep 3, 2023
Merged

fix: capture of writev #3413

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
5 changes: 5 additions & 0 deletions pkg/ebpf/c/common/filesystem.h
View file
Open in desktop
Expand Up @@ -412,7 +412,12 @@ statfunc void fill_vfs_file_bin_args_io_data(io_data_t io_data, bin_args_t *bin_
{
bin_args->ptr = io_data.ptr;
bin_args->full_size = io_data.len;

// handle case of write using iovec
if (!io_data.is_buf && io_data.len > 0) {
bin_args->vec = io_data.ptr;
bin_args->iov_len = io_data.len;
bin_args->iov_idx = 0;
struct iovec io_vec;
bpf_probe_read(&io_vec, sizeof(struct iovec), &bin_args->vec[0]);
bin_args->ptr = io_vec.iov_base;
Expand Down
11 changes: 6 additions & 5 deletions pkg/ebpf/c/tracee.bpf.c
View file
Open in desktop
Expand Up @@ -2615,6 +2615,7 @@ statfunc u32 send_bin_helper(void *ctx, void *prog_array, int tail_call)
bin_args->iov_idx++;
if (bin_args->iov_idx < bin_args->iov_len) {
// Handle the rest of write recursively
bin_args->start_off += bin_args->full_size;
struct iovec io_vec;
bpf_probe_read(&io_vec, sizeof(struct iovec), &bin_args->vec[bin_args->iov_idx]);
bin_args->ptr = io_vec.iov_base;
Expand Down Expand Up @@ -2697,6 +2698,7 @@ statfunc u32 send_bin_helper(void *ctx, void *prog_array, int tail_call)
bin_args->iov_idx++;
if (bin_args->iov_idx < bin_args->iov_len) {
// Handle the rest of write recursively
bin_args->start_off += bin_args->full_size;
struct iovec io_vec;
bpf_probe_read(&io_vec, sizeof(struct iovec), &bin_args->vec[bin_args->iov_idx]);
bin_args->ptr = io_vec.iov_base;
Expand Down Expand Up @@ -2844,11 +2846,11 @@ extract_vfs_ret_io_data(struct pt_regs *ctx, args_t *saved_args, io_data_t *io_d
{
io_data->is_buf = is_buf;
if (is_buf) {
io_data->ptr = (void *) saved_args->args[1];
io_data->len = (size_t) PT_REGS_RC(ctx);
io_data->ptr = (void *) saved_args->args[1]; // pointer to buf
io_data->len = (size_t) PT_REGS_RC(ctx); // number of bytes written to buf
} else {
io_data->ptr = (struct iovec *) saved_args->args[1];
io_data->len = saved_args->args[2];
io_data->ptr = (struct iovec *) saved_args->args[1]; // pointer to iovec array
io_data->len = saved_args->args[2]; // number of iovec elements in array
}
}

Expand Down Expand Up @@ -2906,7 +2908,6 @@ statfunc int capture_file_write(struct pt_regs *ctx, u32 event_id, bool is_buf)
}

bin_args_t bin_args = {};
u64 id = bpf_get_current_pid_tgid();
fill_vfs_file_bin_args(SEND_VFS_WRITE, file, pos, io_data, PT_REGS_RC(ctx), pid, &bin_args);

// Send file data
Expand Down