fix listen syscall backlog field size

Reported by: github issue falcosecurity#515

Signed-off-by: Ofer Heifetz <oheifetz@gmail.com>

driver/bpf/fillers.h

@@ -4089,6 +4089,18 @@ FILLER(sys_shutdown_e, true)
 	return bpf_push_u8_to_ring(data, (u8)shutdown_how_to_scap(how));
 }
 
+FILLER(sys_listen_e, true)
+{
+	/* Parameter 1: fd (type: PT_FD) */
+	s32 fd = (s32)bpf_syscall_get_argument(data, 0);
+	int res = bpf_push_s64_to_ring(data, (s64)fd);
+	CHECK_RES(res);
+
+	/* Parameter 2: backlog (type: PT_INT32) */
+	s32 backlog = (s32)bpf_syscall_get_argument(data, 0);
+	return bpf_push_s32_to_ring(data, (s32)backlog);
+}
+
 FILLER(sys_recvmsg_e, true)
 {
 	/* Parameter 1: fd (type: PT_FD) */

driver/event_table.c

@@ -71,7 +71,7 @@ const struct ppm_event_info g_event_info[] = {
 	[PPME_SOCKET_BIND_X] = {"bind", EC_NET | EC_SYSCALL, EF_USES_FD | EF_MODIFIES_STATE, 2, {{"res", PT_ERRNO, PF_DEC}, {"addr", PT_SOCKADDR, PF_NA} } },
 	[PPME_SOCKET_CONNECT_E] = {"connect", EC_NET | EC_SYSCALL, EF_USES_FD | EF_MODIFIES_STATE, 2, {{"fd", PT_FD, PF_DEC}, {"addr", PT_SOCKADDR, PF_NA} } },
 	[PPME_SOCKET_CONNECT_X] = {"connect", EC_NET | EC_SYSCALL, EF_USES_FD | EF_MODIFIES_STATE, 3, {{"res", PT_ERRNO, PF_DEC}, {"tuple", PT_SOCKTUPLE, PF_NA}, {"fd", PT_FD, PF_DEC } } },
-	[PPME_SOCKET_LISTEN_E] = {"listen", EC_NET | EC_SYSCALL, EF_USES_FD, 2, {{"fd", PT_FD, PF_DEC}, {"backlog", PT_UINT32, PF_DEC} } },
+	[PPME_SOCKET_LISTEN_E] = {"listen", EC_NET | EC_SYSCALL, EF_USES_FD, 2, {{"fd", PT_FD, PF_DEC}, {"backlog", PT_INT32, PF_DEC} } },
 	[PPME_SOCKET_LISTEN_X] = {"listen", EC_NET | EC_SYSCALL, EF_USES_FD, 1, {{"res", PT_ERRNO, PF_DEC} } },
 	[PPME_SOCKET_ACCEPT_E] = {"accept", EC_NET | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE | EF_OLD_VERSION, 0},
 	[PPME_SOCKET_ACCEPT_X] = {"accept", EC_NET | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE | EF_OLD_VERSION, 3, {{"fd", PT_FD, PF_DEC}, {"tuple", PT_SOCKTUPLE, PF_NA}, {"queuepct", PT_UINT8, PF_DEC} } },

driver/fillers_table.c

@@ -39,7 +39,7 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
 	[PPME_SOCKET_BIND_X] = {FILLER_REF(sys_socket_bind_x)},
 	[PPME_SOCKET_CONNECT_E] = {FILLER_REF(sys_connect_e)},
 	[PPME_SOCKET_CONNECT_X] = {FILLER_REF(sys_connect_x)},
-	[PPME_SOCKET_LISTEN_E] = {FILLER_REF(sys_autofill), 2, APT_SOCK, {{0}, {1} } },
+	[PPME_SOCKET_LISTEN_E] = {FILLER_REF(sys_listen_e)},
 	[PPME_SOCKET_LISTEN_X] = {FILLER_REF(sys_single_x)},
 	[PPME_SOCKET_SEND_E] = {FILLER_REF(sys_send_e)},
 	[PPME_SOCKET_SEND_X] = {FILLER_REF(sys_send_x)},

driver/modern_bpf/definitions/events_dimensions.h

@@ -92,7 +92,7 @@
 #define ACCEPT_E_SIZE HEADER_LEN
 #define ACCEPT4_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
 #define BIND_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define LISTEN_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
+#define LISTEN_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(int32_t) + PARAM_LEN * 2
 #define LISTEN_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
 #define CLONE_E_SIZE HEADER_LEN
 #define CLONE3_E_SIZE HEADER_LEN

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/listen.bpf.c

@@ -32,10 +32,9 @@ int BPF_PROG(listen_e,
 	s32 fd = (s32)args[0];
 	ringbuf__store_s64(&ringbuf, (s64)fd);
 
-	/* Parameter 2: backlog (type: PT_UINT32) */
-	/// TODO: This should be an `int` not a `uint32_t`
-	u32 backlog = (u32)args[1];
-	ringbuf__store_u32(&ringbuf, backlog);
+	/* Parameter 2: backlog (type: PT_INT32) */
+	s32 backlog = (s32)args[1];
+	ringbuf__store_s32(&ringbuf, backlog);
 
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 

driver/ppm_fillers.c

@@ -2808,6 +2808,28 @@ int f_sys_sendmsg_x(struct event_filler_arguments *args)
 	return add_sentinel(args);
 }
 
+int f_sys_listen_e(struct event_filler_arguments *args)
+{
+	unsigned long val = 0;
+	int res = 0;
+	s32 fd = 0;
+	s32 backlog = 0;
+
+	/* Parameter 1: fd (type: PT_FD)*/
+	syscall_get_arguments_deprecated(args, 0, 1, &val);
+	fd = (s32)val;
+	res = val_to_ring(args, (s64)fd, 0, false, 0);
+	CHECK_RES(res);
+
+	/* Parameter 2: backlog (type: PT_INT32) */
+	syscall_get_arguments_deprecated(args, 1, 1, &val);
+	backlog = (s32)val;
+	res = val_to_ring(args, (s64)backlog, 0, true, 0);
+	CHECK_RES(res);
+
+	return add_sentinel(args);
+}
+
 int f_sys_recvmsg_e(struct event_filler_arguments *args)
 {
 	unsigned long val = 0;

driver/ppm_fillers.h

@@ -160,6 +160,7 @@ or GPL2.txt for full copies of the license.
 	FN(sys_setpgid_e)                 \
 	FN(sys_recvfrom_e)                 \
 	FN(sys_recvmsg_e)                 \
+	FN(sys_listen_e)                  \
 	FN(sys_signalfd_e)                 \
 	FN(sys_splice_e)				\
 	FN(sys_umount_x)				\

test/drivers/test_suites/syscall_enter_suite/listen_e.cpp

@@ -33,8 +33,8 @@ TEST(SyscallEnter, listenE)
 	/* Parameter 1: fd (type: PT_FD) */
 	evt_test->assert_numeric_param(1, (int64_t)socket_fd);
 
-	/* Parameter 2: backlog (type: PT_UINT32) */
-	evt_test->assert_numeric_param(2, (uint32_t)backlog);
+	/* Parameter 2: backlog (type: PT_INT32) */
+	evt_test->assert_numeric_param(2, (int32_t)backlog);
 
 	/*=============================== ASSERT PARAMETERS  ===========================*/
 

test/drivers/test_suites/syscall_enter_suite/socketcall_e.cpp

@@ -484,8 +484,8 @@ TEST(SyscallEnter, socketcall_listenE)
 	/* Parameter 1: fd (type: PT_FD) */
 	evt_test->assert_numeric_param(1, (int64_t)socket_fd);
 
-	/* Parameter 2: backlog (type: PT_UINT32) */
-	evt_test->assert_numeric_param(2, (uint32_t)backlog);
+	/* Parameter 2: backlog (type: PT_INT32) */
+	evt_test->assert_numeric_param(2, (int32_t)backlog);
 
 	/*=============================== ASSERT PARAMETERS  ===========================*/