2232851 – kprobes fail to read syscall arguments correctly

Bug 2232851 - kprobes fail to read syscall arguments correctly

Summary: kprobes fail to read syscall arguments correctly

Keywords:
Status:	NEW
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	kernel
Sub Component:
Version:	38
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Kernel Maintainer List
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-08-19 14:21 UTC by Alexander
Modified:	2023-08-19 14:25 UTC (History)
CC List:	16 users (show)
Fixed In Version:
Doc Type:	---
Doc Text:
Clone Of:
Environment:
Last Closed:
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
samples (861 bytes, application/zip) 2023-08-19 14:24 UTC, Alexander	no flags	Details
system info (77.50 KB, application/zip) 2023-08-19 14:24 UTC, Alexander	no flags	Details
trace tools output (3.27 KB, text/plain) 2023-08-19 14:25 UTC, Alexander	no flags	Details
View All

Description Alexander 2023-08-19 14:21:31 UTC

When I trace execve syscall via kprobes and try to capture filename and arguments, sometimes I receive garbage in output. I also tried to do the same via eBPF(execsnoop from bcc package), but it fails too.

Attached samples:
execle.c - executes "ls -l"
system.c - executes "ls -l"
kprobes.sh - enables kprobes and outputs trace pipe (captures execve's filename and first 3 arguments and their memory addresses)

Steps to reproduce:
1. Compile test samples using "gcc -c <sample>.c -o <sample>".
2. Mount tracefs for kprobes to /sys/kernel/debug/tracing.
3. Run "./kprobes.sh" to trace execve syscall via kprobes.
4. Run "./execle" and "./system"

Expected result:
tracing tools should capture execve 2 times for execle sample:
1. filename: "./execle", arg1: "./execle"
2. filename: "/bin/ls", arg1: "ls", arg2: "-l"

tracing tools should capture execve 3 times for system sample:
1. filename: "./system", arg1: "./system"
2. filename: "/bin/sh", arg1: "sh", arg2: "-c", arg3: "ls -l"
3. filename: "/bin/ls", arg1: "ls", arg2: "-l"

Actual results:
           bash-3764    [000] .....   404.642853: exec_args_bug: (__x64_sys_execve+0x4/0x40) filename_addr=0x55be3e04ecc0 filename="./execle" argv_addr=0x55be3e0512a0 arg1_addr=0x55be3e04ec80 arg1="./execle" arg2_addr=0x0 arg2=(fault) arg3_addr=0x636f6c2e2f746f6f arg3=(fault)
          execle-3764    [002] .....   404.668213: exec_args_bug: (__x64_sys_execve+0x4/0x40) filename_addr=0x402016 filename=(fault) argv_addr=0x7fffb97cd380 arg1_addr=0x402013 arg1=(fault) arg2_addr=0x402010 arg2=(fault) arg3_addr=0x0 arg3=(fault)
            bash-3765    [004] .....   407.385369: exec_args_bug: (__x64_sys_execve+0x4/0x40) filename_addr=0x55be3e04ec40 filename="./system" argv_addr=0x55be3e04ece0 arg1_addr=0x55be3df25350 arg1="./system" arg2_addr=0x0 arg2=(fault) arg3_addr=0x0 arg3=(fault)
          system-3766    [002] .....   407.440299: exec_args_bug: (__x64_sys_execve+0x4/0x40) filename_addr=0x7f6bbcc4ddef filename=(fault) argv_addr=0x7ffeed46a2f0 arg1_addr=0x7f6bbcc4ddf4 arg1=(fault) arg2_addr=0x7f6bbcc4ddec arg2=(fault) arg3_addr=0x402010 arg3=(fault)
              sh-3766    [002] .....   407.442171: exec_args_bug: (__x64_sys_execve+0x4/0x40) filename_addr=0x55f27842c6c0 filename="/usr/bin/ls" argv_addr=0x55f27842ab60 arg1_addr=0x55f27842c460 arg1="ls" arg2_addr=0x55f27842c400 arg2="-l" arg3_addr=0x0 arg3=(fault)

More tracing tools output is in the attached output.txt

The reported issue was reproduced on kernel 6.4.11-200.fc38.x86_64, but it is reproducible on older kernels as well.

Reproducible: Always

Comment 1 Alexander 2023-08-19 14:24:14 UTC

Created attachment 1984058 [details]
samples

Comment 2 Alexander 2023-08-19 14:24:44 UTC

Created attachment 1984059 [details]
system info

Comment 3 Alexander 2023-08-19 14:25:18 UTC

Created attachment 1984060 [details]
trace tools output

Note You need to log in before you can comment on or make changes to this bug.