Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(scap_engine_bpf): enable _64BIT_ARGS_SINGLE_REGISTER on ARM64 #418

Merged
merged 1 commit into from
Jun 24, 2022
Merged

fix(scap_engine_bpf): enable _64BIT_ARGS_SINGLE_REGISTER on ARM64 #418

merged 1 commit into from
Jun 24, 2022

Conversation

Andreagit97
Copy link
Member

Signed-off-by: Andrea Terzolo andrea.terzolo@polito.it

What type of PR is this?

/kind bug

Any specific area of the project related to this PR?

/area driver-bpf

/area libscap-engine-bpf

What this PR does / why we need it:

If we are on a 64-bit architecture we need to enable the _64BIT_ARGS_SINGLE_REGISTER macro and this is done correctly in our drivers. The problem is that when we compile scap we enable this define only in x86

#ifdef __x86_64__
      #define _64BIT_ARGS_SINGLE_REGISTER
#endif /* __x86_64__ */

So on ARM64, when we fill the filler table in the libscap bpf engine we use the wrong fillers for some syscalls:

#ifdef _64BIT_ARGS_SINGLE_REGISTER
	[PPME_SYSCALL_PREAD_E] = {FILLER_REF(sys_autofill), 3, APT_REG, {{0}, {2}, {3} } },
#else
	[PPME_SYSCALL_PREAD_E] = {FILLER_REF(sys_pread64_e)},
#endif
#ifdef _64BIT_ARGS_SINGLE_REGISTER
	[PPME_SYSCALL_PWRITE_E] = {FILLER_REF(sys_autofill), 3, APT_REG, {{0}, {2}, {3} } },
#else
	[PPME_SYSCALL_PWRITE_E] = {FILLER_REF(sys_pwrite64_e)},
 #endif

For PPME_SYSCALL_PREAD_E event we use the sys_pread64_e filler instead of sys_autofill and this cause an event drop since we define the sys_pread64_e in this way:

FILLER(sys_pread64_e, true)
{
#ifndef _64BIT_ARGS_SINGLE_REGISTER
    #error Implement this
#endif
	return PPM_FAILURE_BUG;
}

Causing a scap-open output similar to this:

---------------------- STATS -----------------------
events captured: 28545
seen by driver: 28741
Number of dropped events: 42
Number of dropped events caused by full buffer: 0
Number of dropped events caused by full scratch map: 0
Number of dropped events caused by invalid memory access: 0
Number of dropped events caused by an invalid condition in the kernel instrumentation: 42
Number of preemptions: 0
Number of events skipped due to the tid being in a set of suppressed tids: 0
Number of threads currently being suppressed: 0
-----------------------------------------------------

Which issue(s) this PR fixes:

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

NONE

@Andreagit97
fix(scap_engine_bpf): enable _64BIT_ARGS_SINGLE_REGISTER on ARM64
4372811 
Signed-off-by: Andrea Terzolo <andrea.terzolo@polito.it>
@poiana poiana requested review from ldegio and leogr June 21, 2022 18:45
FedeDP
FedeDP approved these changes Jun 22, 2022
View reviewed changes
Copy link
Contributor

@FedeDP FedeDP left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve

@poiana poiana added the lgtm label Jun 22, 2022
@poiana
Copy link
Contributor

poiana commented Jun 22, 2022

LGTM label has been added.

Git tree hash: d497cd9e29995e9c47f52cb258879a9008c2005e

@poiana
Copy link
Contributor

poiana commented Jun 22, 2022

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Andreagit97, FedeDP

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

jasondellaluce
jasondellaluce reviewed Jun 22, 2022
View reviewed changes
Copy link
Contributor

@jasondellaluce jasondellaluce left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch!

@Andreagit97 Andreagit97 mentioned this pull request Jun 23, 2022
Closed
15 tasks
leogr
leogr approved these changes Jun 24, 2022
View reviewed changes
Copy link
Member

@leogr leogr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@poiana poiana merged commit 517cfc7 into falcosecurity:master Jun 24, 2022
leogr pushed a commit to leogr/libs that referenced this pull request Jan 5, 2023
@jcpittman144 @leogr
Incorporate ARM support changes from upstream falcosecurity/libs repo (
1077e10 
…falcosecurity#93)

- Falcosecurity/libs falcosecurity#416: Support execve exit and clone child exit events on ARM64
- Falcosecurity/libs falcosecurity#418: Enable 64BIT_ARGS_SINGLE_REGISER on ARM64
- Also, disable userspace workarounds ARM, which attempted to compensate
  for the missing execve/clone exit events
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jasondellaluce jasondellaluce jasondellaluce left review comments

@FedeDP FedeDP FedeDP approved these changes

@leogr leogr leogr approved these changes

@ldegio ldegio Awaiting requested review from ldegio

Assignees

@leogr leogr

@FedeDP FedeDP

Labels
approved area/driver-bpf area/libscap-engine-bpf dco-signoff: yes kind/bug Something isn't working lgtm release-note-none size/L
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@Andreagit97 @poiana @leogr @FedeDP @jasondellaluce