Skip to content

Commit

Permalink
fix listen syscall backlog field size
Browse files Browse the repository at this point in the history
Reported by: github issue falcosecurity#515

Signed-off-by: Ofer Heifetz <oheifetz@gmail.com>
  • Loading branch information
oheifetz committed Aug 5, 2023
1 parent 6ddef94 commit b9a3329
Show file tree
Hide file tree
Showing 9 changed files with 45 additions and 11 deletions.
12 changes: 12 additions & 0 deletions driver/bpf/fillers.h
Original file line number Diff line number Diff line change
Expand Up @@ -4089,6 +4089,18 @@ FILLER(sys_shutdown_e, true)
return bpf_push_u8_to_ring(data, (u8)shutdown_how_to_scap(how));
}

FILLER(sys_listen_e, true)
{
/* Parameter 1: fd (type: PT_FD) */
s32 fd = (s32)bpf_syscall_get_argument(data, 0);
int res = bpf_push_s64_to_ring(data, (s64)fd);
CHECK_RES(res);

/* Parameter 2: backlog (type: PT_INT32) */
s32 backlog = (s32)bpf_syscall_get_argument(data, 0);
return bpf_push_s32_to_ring(data, (s32)backlog);
}

FILLER(sys_recvmsg_e, true)
{
/* Parameter 1: fd (type: PT_FD) */
Expand Down
2 changes: 1 addition & 1 deletion driver/event_table.c
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,7 @@ const struct ppm_event_info g_event_info[] = {
[PPME_SOCKET_BIND_X] = {"bind", EC_NET | EC_SYSCALL, EF_USES_FD | EF_MODIFIES_STATE, 2, {{"res", PT_ERRNO, PF_DEC}, {"addr", PT_SOCKADDR, PF_NA} } },
[PPME_SOCKET_CONNECT_E] = {"connect", EC_NET | EC_SYSCALL, EF_USES_FD | EF_MODIFIES_STATE, 2, {{"fd", PT_FD, PF_DEC}, {"addr", PT_SOCKADDR, PF_NA} } },
[PPME_SOCKET_CONNECT_X] = {"connect", EC_NET | EC_SYSCALL, EF_USES_FD | EF_MODIFIES_STATE, 3, {{"res", PT_ERRNO, PF_DEC}, {"tuple", PT_SOCKTUPLE, PF_NA}, {"fd", PT_FD, PF_DEC } } },
[PPME_SOCKET_LISTEN_E] = {"listen", EC_NET | EC_SYSCALL, EF_USES_FD, 2, {{"fd", PT_FD, PF_DEC}, {"backlog", PT_UINT32, PF_DEC} } },
[PPME_SOCKET_LISTEN_E] = {"listen", EC_NET | EC_SYSCALL, EF_USES_FD, 2, {{"fd", PT_FD, PF_DEC}, {"backlog", PT_INT32, PF_DEC} } },
[PPME_SOCKET_LISTEN_X] = {"listen", EC_NET | EC_SYSCALL, EF_USES_FD, 1, {{"res", PT_ERRNO, PF_DEC} } },
[PPME_SOCKET_ACCEPT_E] = {"accept", EC_NET | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE | EF_OLD_VERSION, 0},
[PPME_SOCKET_ACCEPT_X] = {"accept", EC_NET | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE | EF_OLD_VERSION, 3, {{"fd", PT_FD, PF_DEC}, {"tuple", PT_SOCKTUPLE, PF_NA}, {"queuepct", PT_UINT8, PF_DEC} } },
Expand Down
2 changes: 1 addition & 1 deletion driver/fillers_table.c
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
[PPME_SOCKET_BIND_X] = {FILLER_REF(sys_socket_bind_x)},
[PPME_SOCKET_CONNECT_E] = {FILLER_REF(sys_connect_e)},
[PPME_SOCKET_CONNECT_X] = {FILLER_REF(sys_connect_x)},
[PPME_SOCKET_LISTEN_E] = {FILLER_REF(sys_autofill), 2, APT_SOCK, {{0}, {1} } },
[PPME_SOCKET_LISTEN_E] = {FILLER_REF(sys_listen_e)},
[PPME_SOCKET_LISTEN_X] = {FILLER_REF(sys_single_x)},
[PPME_SOCKET_SEND_E] = {FILLER_REF(sys_send_e)},
[PPME_SOCKET_SEND_X] = {FILLER_REF(sys_send_x)},
Expand Down
2 changes: 1 addition & 1 deletion driver/modern_bpf/definitions/events_dimensions.h
Original file line number Diff line number Diff line change
Expand Up @@ -92,7 +92,7 @@
#define ACCEPT_E_SIZE HEADER_LEN
#define ACCEPT4_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
#define BIND_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
#define LISTEN_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
#define LISTEN_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(int32_t) + PARAM_LEN * 2
#define LISTEN_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
#define CLONE_E_SIZE HEADER_LEN
#define CLONE3_E_SIZE HEADER_LEN
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -32,10 +32,9 @@ int BPF_PROG(listen_e,
s32 fd = (s32)args[0];
ringbuf__store_s64(&ringbuf, (s64)fd);

/* Parameter 2: backlog (type: PT_UINT32) */
/// TODO: This should be an `int` not a `uint32_t`
u32 backlog = (u32)args[1];
ringbuf__store_u32(&ringbuf, backlog);
/* Parameter 2: backlog (type: PT_INT32) */
s32 backlog = (s32)args[1];
ringbuf__store_s32(&ringbuf, backlog);

/*=============================== COLLECT PARAMETERS ===========================*/

Expand Down
22 changes: 22 additions & 0 deletions driver/ppm_fillers.c
Original file line number Diff line number Diff line change
Expand Up @@ -2808,6 +2808,28 @@ int f_sys_sendmsg_x(struct event_filler_arguments *args)
return add_sentinel(args);
}

int f_sys_listen_e(struct event_filler_arguments *args)
{
unsigned long val = 0;
int res = 0;
s32 fd = 0;
s32 backlog = 0;

/* Parameter 1: fd (type: PT_FD)*/
syscall_get_arguments_deprecated(args, 0, 1, &val);
fd = (s32)val;
res = val_to_ring(args, (s64)fd, 0, false, 0);
CHECK_RES(res);

/* Parameter 2: backlog (type: PT_INT32) */
syscall_get_arguments_deprecated(args, 1, 1, &val);
backlog = (s32)val;
res = val_to_ring(args, (s64)backlog, 0, true, 0);
CHECK_RES(res);

return add_sentinel(args);
}

int f_sys_recvmsg_e(struct event_filler_arguments *args)
{
unsigned long val = 0;
Expand Down
1 change: 1 addition & 0 deletions driver/ppm_fillers.h
Original file line number Diff line number Diff line change
Expand Up @@ -160,6 +160,7 @@ or GPL2.txt for full copies of the license.
FN(sys_setpgid_e) \
FN(sys_recvfrom_e) \
FN(sys_recvmsg_e) \
FN(sys_listen_e) \
FN(sys_signalfd_e) \
FN(sys_splice_e) \
FN(sys_umount_x) \
Expand Down
4 changes: 2 additions & 2 deletions test/drivers/test_suites/syscall_enter_suite/listen_e.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -33,8 +33,8 @@ TEST(SyscallEnter, listenE)
/* Parameter 1: fd (type: PT_FD) */
evt_test->assert_numeric_param(1, (int64_t)socket_fd);

/* Parameter 2: backlog (type: PT_UINT32) */
evt_test->assert_numeric_param(2, (uint32_t)backlog);
/* Parameter 2: backlog (type: PT_INT32) */
evt_test->assert_numeric_param(2, (int32_t)backlog);

/*=============================== ASSERT PARAMETERS ===========================*/

Expand Down
4 changes: 2 additions & 2 deletions test/drivers/test_suites/syscall_enter_suite/socketcall_e.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -484,8 +484,8 @@ TEST(SyscallEnter, socketcall_listenE)
/* Parameter 1: fd (type: PT_FD) */
evt_test->assert_numeric_param(1, (int64_t)socket_fd);

/* Parameter 2: backlog (type: PT_UINT32) */
evt_test->assert_numeric_param(2, (uint32_t)backlog);
/* Parameter 2: backlog (type: PT_INT32) */
evt_test->assert_numeric_param(2, (int32_t)backlog);

/*=============================== ASSERT PARAMETERS ===========================*/

Expand Down

0 comments on commit b9a3329

Please sign in to comment.