Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

kprobe attach __x64_sys_open get empty file from arg 0 #587

Closed
nichoalsliu opened this issue Apr 24, 2023 · 2 comments · May be fixed by #944
Closed

kprobe attach __x64_sys_open get empty file from arg 0 #587

nichoalsliu opened this issue Apr 24, 2023 · 2 comments · May be fixed by #944

Comments

@nichoalsliu
Copy link

nichoalsliu commented Apr 24, 2023
edited by tamird

//env
aya = { version = ">=0.11", features=["async_tokio"] }
ubuntu 22.04

//user space code

    let program: &mut KProbe = bpf.program_mut("probe_open").unwrap().try_into()?;
    program.load()?;
    program.attach("__x64_sys_open", 0)?;

    let mut perf_array = AsyncPerfEventArray::try_from(bpf.map_mut("EVENTS")?)?;
     for cpu_id in online_cpus()? {
            let mut buf = perf_array.open(cpu_id, None)?;
            task::spawn(async move{
                let mut buffers = (0..10)
                .map(|_| BytesMut::with_capacity(1024))
                .collect::<Vec<_>>();

            loop{
                let events = buf.read_events(&mut buffers).await.unwrap();
                for buf in buffers.iter_mut().take(events.read) {
                    let ptr = buf.as_ptr() as *const PacketLog;
                    let data = unsafe { ptr.read_unaligned() };
                    let proc_name = String::from_utf8(data.prog_name.to_vec()).unwrap();
                    let file_name = String::from_utf8_lossy(&data.fname.to_vec()).into_owned();
                    println!("LOG: proc_name:{}, filename:{},flag:{}", proc_name,file_name,data.flg);                 
                }
            }
            });
     }

//ebpf code

    fn try_probe_open(ctx: ProbeContext) -> Result<u32, u32> {
        let ptr_fname: *const u8 = ctx.arg(0).ok_or(1u32).map_err(|_| {info!(&ctx,"get arg 1 err");1 as u32})?;
        let  mut fname = [0u8; 100];
        unsafe{helpers::bpf_probe_read_kernel_str_bytes(ptr_fname,&mut fname).map_err(|e| {info!(&ctx,"read kernel buff err:{}",e); e as u32 })? };
        let flg: i32= ctx.arg(1).ok_or(1u32).map_err(|_| {info!(&ctx,"get arg 2 err");1 as u32})?;
  
        let prog_name = helpers::bpf_get_current_comm().map_err(|e| e as u32)?;

        let log_entry = PacketLog {
            fname,flg,prog_name,};
  
        unsafe {
            EVENTS.output(&ctx, &log_entry, 0);
        }

        Ok(0)
    }

//result
I get the result like this:
"LOG: proc_name:xxxx, filename:,flag:0"
"LOG: proc_name:xxxx, filename:�,flag:0"
get file name from ProbeContext with arg 0 is empty string
@nichoalsliu
Copy link
Author

How can i get current stack and user space symbol like bcc?

//bcc function
25. map.get_stackid()
Syntax: int map.get_stackid(void *ctx, u64 flags)

This walks the stack found via the struct pt_regs in ctx, saves it in the stack trace map, and returns a unique ID for the stack trace.

//bcc function
3. sym()
Syntax: BPF.sym(addr, pid, show_module=False, show_offset=False)

Translate a memory address into a function name for a pid, which is returned. A pid of less than zero will access the kernel symbol cache. The show_module and show_offset parameters control whether the module in which the symbol lies should be displayed, and whether the instruction offset from the beginning of the symbol should be displayed. These extra parameters default to False.

@tamird
Copy link
Member

tamird commented Jul 19, 2023

I'm having trouble understanding the issue. What are you trying to do?

WindySha pushed a commit to WindySha/aya that referenced this issue May 14, 2024
aya-ebpf: ProbeContext: rewrite the implement of FromPtRegs trait.
a1df0d2 
The original implementation of the  trait is unable to
correctly retrieve the arguments of a function, necessitating a rewrite.
This includes two interfaces:  and .

To access a function's argument, it is necessary to accurately
identify the register address where the argument is stored.
Subsequently, we can use the  function to read
the contents at this register address.
This allows us to correctly retrieve the argument of the function.

Fixes: aya-rs#587
@WindySha WindySha mentioned this issue May 14, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

aya-ebpf: ProbeContext: rewrite the implement of FromPtRegs trait. WindySha/aya
2 participants
@tamird @nichoalsliu