From 99a2acab7ca486aa46cfaedd5d6ba23d85674c76 Mon Sep 17 00:00:00 2001 From: Ofek Shaked Date: Tue, 28 Jan 2025 15:39:32 +0200 Subject: [PATCH] fix(epbf): fix handling of compat tasks in syscall checkers --- pkg/ebpf/c/tracee.bpf.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/pkg/ebpf/c/tracee.bpf.c b/pkg/ebpf/c/tracee.bpf.c index f71cb8dc3947..77407bf3285a 100644 --- a/pkg/ebpf/c/tracee.bpf.c +++ b/pkg/ebpf/c/tracee.bpf.c @@ -5320,6 +5320,13 @@ statfunc void check_suspicious_syscall_source(void *ctx, struct pt_regs *regs, u if (vma_is_file_backed(vma)) return; + // In 32-bit compat mode, syscalls may be invoked by calling into a VDSO provided + // syscall handler (the vsyscall mechanism). + // Even the 64-bit VDSO may invoke syscalls, as a fallback mechanism. + // In such cases, we don't know where was the code that called into the VDSO. + if (vma_is_vdso(vma)) + return; + // Build a key that identifies the combination of syscall, // source VMA and process so we don't submit it multiple times syscall_source_key_t key = {.syscall = syscall, @@ -5410,6 +5417,12 @@ int BPF_KPROBE(syscall_checker) // Get syscall ID u32 syscall = get_syscall_id_from_regs(regs); + if (is_compat((struct task_struct *) bpf_get_current_task())) { + u32 *id_64 = bpf_map_lookup_elem(&sys_32_to_64_map, &syscall); + if (id_64 == NULL) + return 0; + syscall = *id_64; + } if (bpf_map_lookup_elem(&suspicious_syscall_source_syscalls, &syscall) != NULL) check_suspicious_syscall_source(ctx, regs, syscall);