• yonghong-song's avatar
    generate indirect parameter assignment if arch uses syscall wrapper (#1816) · 2da34267
    yonghong-song authored
    Fix issue #1802.
    
    On x64, the following commit (in 4.17) changed the raw parameter passed to
    the syscall entry function from a list of parameters supplied in user space
    to a single `pt_regs *` parameter. Also in 4.17, x64 syscall entry function
    is changed from `sys_<name>` to `__x64_sys_<name>`.
    
    ```
    commit fa697140f9a20119a9ec8fd7460cc4314fbdaff3
    Author: Dominik Brodowski <linux@dominikbrodowski.net>
    Date:   Thu Apr 5 11:53:02 2018 +0200
    
        syscalls/x86: Use 'struct pt_regs' based syscall calling convention for 64-bit syscalls
    
        Let's make use of ARCH_HAS_SYSCALL_WRAPPER=y on pure 64-bit x86-64 systems:
    
        Each syscall defines a stub which takes struct pt_regs as its only
        argument. It decodes just those parameters it needs, e.g:
    
                asmlinkage long sys_xyzzy(const struct pt_regs *regs)
                {
                        return SyS_xyzzy(regs->di, regs->si, regs->dx);
                }
    
        This approach avoids leaking random user-provided register content down
        the call chain.
    
        ...
    ```
    
    In bcc, we support kprobe function signatures in the bpf program.
    The rewriter will automatically generate proper assignment to
    these parameters. With the above function signature change, the
    original method does not work any more.
    
    This patch enhanced rewriter to generate two version codes guarded
    with CONFIG_ARCH_HAS_SYSCALL_WRAPPER. But we need to identify
    whether a function will be attached to syscall entry function
    or not during prog load time at which time the program has not
    attached to any event.
    
    The prefix `kprobe__` is used for kprobe autoload, we can use
    `kprobe____x64_sys_` as the prefix to identify x64 syscall entry
    functions. To support other architecture or not-autoloading program,
    the prefix `syscall__` is introduced to signal it is a syscall
    entry function.
    
    trace.py and other tools which uses kprobe syscall entry functions
    are also modified with the new interface so that they can
    work properly with 4.17.
    Signed-off-by: default avatarYonghong Song <yhs@fb.com>
    2da34267
execsnoop.py 6.62 KB