2232851 – kprobes fail to read syscall arguments correctly

Bug 2232851 - kprobes fail to read syscall arguments correctly

Summary: kprobes fail to read syscall arguments correctly

Keywords:
Status:	CLOSED EOL
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	kernel
Sub Component:
Version:	38
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Kernel Maintainer List
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-08-19 14:21 UTC by Alexander
Modified:	2024-05-28 13:51 UTC (History)
CC List:	16 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2024-05-28 13:51:07 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
samples (861 bytes, application/zip) 2023-08-19 14:24 UTC, Alexander	no flags	Details
system info (77.50 KB, application/zip) 2023-08-19 14:24 UTC, Alexander	no flags	Details
trace tools output (3.27 KB, text/plain) 2023-08-19 14:25 UTC, Alexander	no flags	Details
View All

Description Alexander 2023-08-19 14:21:31 UTC

When I trace execve syscall via kprobes and try to capture filename and arguments, sometimes I receive garbage in output. I also tried to do the same via eBPF(execsnoop from bcc package), but it fails too.

Attached samples:
execle.c - executes "ls -l"
system.c - executes "ls -l"
kprobes.sh - enables kprobes and outputs trace pipe (captures execve's filename and first 3 arguments and their memory addresses)

Steps to reproduce:
1. Compile test samples using "gcc -c <sample>.c -o <sample>".
2. Mount tracefs for kprobes to /sys/kernel/debug/tracing.
3. Run "./kprobes.sh" to trace execve syscall via kprobes.
4. Run "./execle" and "./system"

Expected result:
tracing tools should capture execve 2 times for execle sample:
1. filename: "./execle", arg1: "./execle"
2. filename: "/bin/ls", arg1: "ls", arg2: "-l"

tracing tools should capture execve 3 times for system sample:
1. filename: "./system", arg1: "./system"
2. filename: "/bin/sh", arg1: "sh", arg2: "-c", arg3: "ls -l"
3. filename: "/bin/ls", arg1: "ls", arg2: "-l"

Actual results:
           bash-3764    [000] .....   404.642853: exec_args_bug: (__x64_sys_execve+0x4/0x40) filename_addr=0x55be3e04ecc0 filename="./execle" argv_addr=0x55be3e0512a0 arg1_addr=0x55be3e04ec80 arg1="./execle" arg2_addr=0x0 arg2=(fault) arg3_addr=0x636f6c2e2f746f6f arg3=(fault)
          execle-3764    [002] .....   404.668213: exec_args_bug: (__x64_sys_execve+0x4/0x40) filename_addr=0x402016 filename=(fault) argv_addr=0x7fffb97cd380 arg1_addr=0x402013 arg1=(fault) arg2_addr=0x402010 arg2=(fault) arg3_addr=0x0 arg3=(fault)
            bash-3765    [004] .....   407.385369: exec_args_bug: (__x64_sys_execve+0x4/0x40) filename_addr=0x55be3e04ec40 filename="./system" argv_addr=0x55be3e04ece0 arg1_addr=0x55be3df25350 arg1="./system" arg2_addr=0x0 arg2=(fault) arg3_addr=0x0 arg3=(fault)
          system-3766    [002] .....   407.440299: exec_args_bug: (__x64_sys_execve+0x4/0x40) filename_addr=0x7f6bbcc4ddef filename=(fault) argv_addr=0x7ffeed46a2f0 arg1_addr=0x7f6bbcc4ddf4 arg1=(fault) arg2_addr=0x7f6bbcc4ddec arg2=(fault) arg3_addr=0x402010 arg3=(fault)
              sh-3766    [002] .....   407.442171: exec_args_bug: (__x64_sys_execve+0x4/0x40) filename_addr=0x55f27842c6c0 filename="/usr/bin/ls" argv_addr=0x55f27842ab60 arg1_addr=0x55f27842c460 arg1="ls" arg2_addr=0x55f27842c400 arg2="-l" arg3_addr=0x0 arg3=(fault)

More tracing tools output is in the attached output.txt

The reported issue was reproduced on kernel 6.4.11-200.fc38.x86_64, but it is reproducible on older kernels as well.

Reproducible: Always

Comment 1 Alexander 2023-08-19 14:24:14 UTC

Created attachment 1984058 [details]
samples

Comment 2 Alexander 2023-08-19 14:24:44 UTC

Created attachment 1984059 [details]
system info

Comment 3 Alexander 2023-08-19 14:25:18 UTC

Created attachment 1984060 [details]
trace tools output

Comment 4 Aoife Moloney 2024-05-28 13:51:07 UTC

Fedora Linux 38 entered end-of-life (EOL) status on 2024-05-21.

Fedora Linux 38 is no longer maintained, which means that it
will not receive any further security or bug fix updates. As a result we
are closing this bug.

If you can reproduce this bug against a currently maintained version of Fedora Linux
please feel free to reopen this bug against that version. Note that the version
field may be hidden. Click the "Show advanced fields" button if you do not see
the version field.

If you are unable to reopen this bug, please file a new report against an
active release.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.