Skip to content

Commit

Permalink
debug
Browse files Browse the repository at this point in the history
  • Loading branch information
@NDStrahilevitz
NDStrahilevitz committed Oct 22, 2024
1 parent 114f9a8 commit d48f44c
Show file tree
Hide file tree
Showing 6 changed files with 110 additions and 38 deletions.
71 changes: 68 additions & 3 deletions pkg/bufferdecoder/decoder.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,8 @@ package bufferdecoder
import (
"encoding/binary"
"errors"
"fmt"
"runtime"

"github.com/aquasecurity/tracee/pkg/errfmt"
"github.com/aquasecurity/tracee/pkg/events"
Expand Down Expand Up @@ -46,6 +48,9 @@ func (decoder *EbpfDecoder) BytesRead() int {

// MoveCursor moves the buffer cursor over n bytes. Returns the new cursor position.
func (decoder *EbpfDecoder) MoveCursor(n int) int {

pc, _, _, _ := runtime.Caller(0)
fmt.Println("increased cursor in line", runtime.FuncForPC(pc).Name())
decoder.cursor += n
return decoder.cursor
}
Expand Down Expand Up @@ -88,6 +93,8 @@ func (decoder *EbpfDecoder) DecodeContext(eCtx *EventContext) error {
eCtx.MatchedPolicies = binary.LittleEndian.Uint64(decoder.buffer[offset+136 : offset+144])
// event_context end

pc, _, _, _ := runtime.Caller(0)
fmt.Println("increased cursor in line", runtime.FuncForPC(pc).Name())
decoder.cursor += eCtx.GetSizeBytes()
return nil
}
Expand All @@ -113,7 +120,7 @@ func (decoder *EbpfDecoder) DecodeArguments(args []trace.Argument, argnum int, e
args[idx] = arg
}

// Fill missing arguments metadata
// Fill missing arguments
for i := 0; i < len(evtParams); i++ {
if args[i].Value == nil {
args[i].ArgMeta = evtParams[i]
Expand All @@ -131,6 +138,9 @@ func (decoder *EbpfDecoder) DecodeUint8(msg *uint8) error {
return ErrBufferTooShort
}
*msg = decoder.buffer[decoder.cursor]

pc, _, _, _ := runtime.Caller(0)
fmt.Println("increased cursor in line", runtime.FuncForPC(pc).Name())
decoder.cursor += readAmount
return nil
}
Expand All @@ -143,6 +153,9 @@ func (decoder *EbpfDecoder) DecodeInt8(msg *int8) error {
return ErrBufferTooShort
}
*msg = int8(decoder.buffer[offset])

pc, _, _, _ := runtime.Caller(0)
fmt.Println("increased cursor in line", runtime.FuncForPC(pc).Name())
decoder.cursor += readAmount
return nil
}
Expand All @@ -155,6 +168,9 @@ func (decoder *EbpfDecoder) DecodeUint16(msg *uint16) error {
return ErrBufferTooShort
}
*msg = binary.LittleEndian.Uint16(decoder.buffer[offset : offset+readAmount])

pc, _, _, _ := runtime.Caller(0)
fmt.Println("increased cursor in line", runtime.FuncForPC(pc).Name())
decoder.cursor += readAmount
return nil
}
Expand All @@ -167,6 +183,9 @@ func (decoder *EbpfDecoder) DecodeUint16BigEndian(msg *uint16) error {
return ErrBufferTooShort
}
*msg = binary.BigEndian.Uint16(decoder.buffer[offset : offset+readAmount])

pc, _, _, _ := runtime.Caller(0)
fmt.Println("increased cursor in line", runtime.FuncForPC(pc).Name())
decoder.cursor += readAmount
return nil
}
Expand All @@ -179,6 +198,9 @@ func (decoder *EbpfDecoder) DecodeInt16(msg *int16) error {
return ErrBufferTooShort
}
*msg = int16(binary.LittleEndian.Uint16(decoder.buffer[offset : offset+readAmount]))

pc, _, _, _ := runtime.Caller(0)
fmt.Println("increased cursor in line", runtime.FuncForPC(pc).Name())
decoder.cursor += readAmount
return nil
}
Expand All @@ -191,6 +213,9 @@ func (decoder *EbpfDecoder) DecodeUint32(msg *uint32) error {
return ErrBufferTooShort
}
*msg = binary.LittleEndian.Uint32(decoder.buffer[offset : offset+readAmount])

pc, _, _, _ := runtime.Caller(0)
fmt.Println("increased cursor in line", runtime.FuncForPC(pc).Name())
decoder.cursor += readAmount
return nil
}
Expand All @@ -203,6 +228,9 @@ func (decoder *EbpfDecoder) DecodeUint32BigEndian(msg *uint32) error {
return ErrBufferTooShort
}
*msg = binary.BigEndian.Uint32(decoder.buffer[offset : offset+readAmount])

pc, _, _, _ := runtime.Caller(0)
fmt.Println("increased cursor in line", runtime.FuncForPC(pc).Name())
decoder.cursor += readAmount
return nil
}
Expand All @@ -215,6 +243,9 @@ func (decoder *EbpfDecoder) DecodeInt32(msg *int32) error {
return ErrBufferTooShort
}
*msg = int32(binary.LittleEndian.Uint32(decoder.buffer[offset : offset+readAmount]))

pc, _, _, _ := runtime.Caller(0)
fmt.Println("increased cursor in line", runtime.FuncForPC(pc).Name())
decoder.cursor += readAmount
return nil
}
Expand All @@ -227,6 +258,9 @@ func (decoder *EbpfDecoder) DecodeUint64(msg *uint64) error {
return ErrBufferTooShort
}
*msg = binary.LittleEndian.Uint64(decoder.buffer[offset : offset+readAmount])

pc, _, _, _ := runtime.Caller(0)
fmt.Println("increased cursor in line", runtime.FuncForPC(pc).Name())
decoder.cursor += readAmount
return nil
}
Expand All @@ -239,6 +273,9 @@ func (decoder *EbpfDecoder) DecodeInt64(msg *int64) error {
return ErrBufferTooShort
}
*msg = int64(binary.LittleEndian.Uint64(decoder.buffer[decoder.cursor : decoder.cursor+readAmount]))

pc, _, _, _ := runtime.Caller(0)
fmt.Println("increased cursor in line", runtime.FuncForPC(pc).Name())
decoder.cursor += readAmount
return nil
}
Expand All @@ -250,6 +287,8 @@ func (decoder *EbpfDecoder) DecodeBool(msg *bool) error {
return ErrBufferTooShort
}
*msg = (decoder.buffer[offset] != 0)
pc, _, _, _ := runtime.Caller(0)
fmt.Println("increased cursor in line", runtime.FuncForPC(pc).Name())
decoder.cursor++
return nil
}
Expand All @@ -262,6 +301,9 @@ func (decoder *EbpfDecoder) DecodeBytes(msg []byte, size int) error {
return ErrBufferTooShort
}
_ = copy(msg[:], decoder.buffer[offset:offset+size])

pc, _, _, _ := runtime.Caller(0)
fmt.Println("increased cursor in line", runtime.FuncForPC(pc).Name())
decoder.cursor += size
return nil
}
Expand All @@ -278,14 +320,20 @@ func (decoder *EbpfDecoder) ReadBytesLen(len int) ([]byte, error) {
return res, nil
}

// DecodeIntArray translate from the decoder buffer, starting from the decoder cursor, to msg, size * 4 bytes (in order to get int32).
func (decoder *EbpfDecoder) DecodeIntArray(msg []int32, size int) error {
// DecodeInt32Array translate from the decoder buffer, starting from the decoder cursor, to msg, size * 4 bytes (in order to get int32).
func (decoder *EbpfDecoder) DecodeInt32Array(msg []int32, size int) error {
offset := decoder.cursor
if len(decoder.buffer[offset:]) < size*4 {
fmt.Println("buffer size from offset:", decoder.cursor)
fmt.Printf("buffer from offset: %08b\n", decoder.buffer[offset:])
return ErrBufferTooShort
}
for i := 0; i < size; i++ {
fmt.Println("ayy lmao", i)
msg[i] = int32(binary.LittleEndian.Uint32(decoder.buffer[decoder.cursor : decoder.cursor+4]))

pc, _, _, _ := runtime.Caller(0)
fmt.Println("increased cursor in line", runtime.FuncForPC(pc).Name())
decoder.cursor += 4
}
return nil
Expand Down Expand Up @@ -330,6 +378,9 @@ func (decoder *EbpfDecoder) DecodeSlimCred(slimCred *SlimCred) error {
slimCred.CapEffective = binary.LittleEndian.Uint64(decoder.buffer[offset+56 : offset+64])
slimCred.CapBounding = binary.LittleEndian.Uint64(decoder.buffer[offset+64 : offset+72])
slimCred.CapAmbient = binary.LittleEndian.Uint64(decoder.buffer[offset+72 : offset+80])

pc, _, _, _ := runtime.Caller(0)
fmt.Println("increased cursor in line", runtime.FuncForPC(pc).Name())
decoder.cursor += int(slimCred.GetSizeBytes())
return nil
}
Expand All @@ -345,6 +396,9 @@ func (decoder *EbpfDecoder) DecodeChunkMeta(chunkMeta *ChunkMeta) error {
_ = copy(chunkMeta.Metadata[:], decoder.buffer[offset+9:offset+37])
chunkMeta.Size = int32(binary.LittleEndian.Uint32(decoder.buffer[offset+37 : offset+41]))
chunkMeta.Off = binary.LittleEndian.Uint64(decoder.buffer[offset+41 : offset+49])

pc, _, _, _ := runtime.Caller(0)
fmt.Println("increased cursor in line", runtime.FuncForPC(pc).Name())
decoder.cursor += int(chunkMeta.GetSizeBytes())
return nil
}
Expand All @@ -359,6 +413,9 @@ func (decoder *EbpfDecoder) DecodeVfsFileMeta(vfsFileMeta *VfsFileMeta) error {
vfsFileMeta.Inode = binary.LittleEndian.Uint64(decoder.buffer[offset+4 : offset+12])
vfsFileMeta.Mode = binary.LittleEndian.Uint32(decoder.buffer[offset+12 : offset+16])
vfsFileMeta.Pid = binary.LittleEndian.Uint32(decoder.buffer[offset+16 : offset+20])

pc, _, _, _ := runtime.Caller(0)
fmt.Println("increased cursor in line", runtime.FuncForPC(pc).Name())
decoder.cursor += int(vfsFileMeta.GetSizeBytes())
return nil
}
Expand All @@ -373,6 +430,9 @@ func (decoder *EbpfDecoder) DecodeKernelModuleMeta(kernelModuleMeta *KernelModul
kernelModuleMeta.Inode = binary.LittleEndian.Uint64(decoder.buffer[offset+4 : offset+12])
kernelModuleMeta.Pid = binary.LittleEndian.Uint32(decoder.buffer[offset+12 : offset+16])
kernelModuleMeta.Size = binary.LittleEndian.Uint32(decoder.buffer[offset+16 : offset+20])

pc, _, _, _ := runtime.Caller(0)
fmt.Println("increased cursor in line", runtime.FuncForPC(pc).Name())
decoder.cursor += int(kernelModuleMeta.GetSizeBytes())
return nil
}
Expand All @@ -387,6 +447,9 @@ func (decoder *EbpfDecoder) DecodeBpfObjectMeta(bpfObjectMeta *BpfObjectMeta) er
bpfObjectMeta.Rand = binary.LittleEndian.Uint32(decoder.buffer[offset+16 : offset+20])
bpfObjectMeta.Pid = binary.LittleEndian.Uint32(decoder.buffer[offset+20 : offset+24])
bpfObjectMeta.Size = binary.LittleEndian.Uint32(decoder.buffer[offset+24 : offset+28])

pc, _, _, _ := runtime.Caller(0)
fmt.Println("increased cursor in line", runtime.FuncForPC(pc).Name())
decoder.cursor += int(bpfObjectMeta.GetSizeBytes())
return nil
}
Expand All @@ -400,6 +463,8 @@ func (decoder *EbpfDecoder) DecodeMprotectWriteMeta(mprotectWriteMeta *MprotectW
mprotectWriteMeta.Ts = binary.LittleEndian.Uint64(decoder.buffer[offset : offset+8])
mprotectWriteMeta.Pid = binary.LittleEndian.Uint32(decoder.buffer[offset+8 : offset+12])

pc, _, _, _ := runtime.Caller(0)
fmt.Println("increased cursor in line", runtime.FuncForPC(pc).Name())
decoder.cursor += int(mprotectWriteMeta.GetSizeBytes())
return nil
}
2 changes: 1 addition & 1 deletion pkg/bufferdecoder/decoder_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -354,7 +354,7 @@ func TestDecodeIntArray(t *testing.T) {
raw = append(raw, 1, 2, 3, 4, 5, 6, 7, 8)
decoder := New(raw)
var obtained [2]int32
err := decoder.DecodeIntArray(obtained[:], 2)
err := decoder.DecodeInt32Array(obtained[:], 2)
assert.Equal(t, nil, err)
rawcp := append(raw, 1, 2, 3, 4, 5, 6, 7, 8)
dataBuff := bytes.NewBuffer(rawcp)
Expand Down
9 changes: 8 additions & 1 deletion pkg/bufferdecoder/eventsreader.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ package bufferdecoder

import (
"encoding/binary"
"fmt"
"net"
"strconv"
"strings"
Expand All @@ -26,15 +27,20 @@ func readArgFromBuff(id events.ID, ebpfMsgDecoder *EbpfDecoder, params []trace.A
var argIdx uint8
var arg trace.Argument

fmt.Printf("buffer from offset: %08b\n", ebpfMsgDecoder.buffer[ebpfMsgDecoder.cursor:])

err = ebpfMsgDecoder.DecodeUint8(&argIdx)
if err != nil {
return 0, arg, errfmt.Errorf("error reading arg index: %v", err)
}
if int(argIdx) >= len(params) {
return 0, arg, errfmt.Errorf("invalid arg index %d", argIdx)
}
fmt.Println("bytes read 3", ebpfMsgDecoder.BytesRead())

arg.ArgMeta = params[argIdx]
argType := GetDecodeType(arg.Type)
fmt.Println("read arg from buff: ", argIdx, argType)

switch argType {
case trace.U8_T:
Expand Down Expand Up @@ -130,7 +136,7 @@ func readArgFromBuff(id events.ID, ebpfMsgDecoder *EbpfDecoder, params []trace.A
res, err = ebpfMsgDecoder.ReadBytesLen(int(size))
case trace.INT_ARR_2_T:
var intArray [2]int32
err = ebpfMsgDecoder.DecodeIntArray(intArray[:], 2)
err = ebpfMsgDecoder.DecodeInt32Array(intArray[:], 2)
if err != nil {
return uint(argIdx), arg, errfmt.Errorf("error reading int elements: %v", err)
}
Expand Down Expand Up @@ -160,6 +166,7 @@ func readArgFromBuff(id events.ID, ebpfMsgDecoder *EbpfDecoder, params []trace.A
return uint(argIdx), arg, errfmt.WrapError(err)
}
arg.Value = res
fmt.Println("bytes read 4", ebpfMsgDecoder.BytesRead())
return uint(argIdx), arg, nil
}

Expand Down
24 changes: 11 additions & 13 deletions pkg/ebpf/c/common/buffer.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -340,14 +340,16 @@ statfunc int save_sockaddr_to_buf(args_buffer_t *buf, struct socket *sock, u8 in

#define DEC_ARG(n, enc_arg) ((enc_arg >> (8 * n)) & 0xFF)

// types whose arguments needs to be directly in type_size_table (arg = (void *) args->args[i])
#define BITMASK_INDIRECT_VALUE_TYPES \
((u64) 1 << STR_T | (u64) 1 << SOCKADDR_T | (u64) 1 << INT_ARR_2_T | (u64) 1 << TIMESPEC_T)
((u64) 1 << INT_ARR_2_T | (u64) 1 << STR_T | (u64) 1 << SOCKADDR_T | (u64) 1 << TIMESPEC_T)

// types whose arguments needs to be handled through their address in type_size_table
// ((arg = (void *) &args->args[i]))
#define BITMASK_COMMON_TYPES \
((u64) 1 << INT_T | (u64) 1 << UINT_T | (u64) 1 << LONG_T | (u64) 1 << ULONG_T | \
(u64) 1 << OFF_T_T | (u64) 1 << MODE_T_T | (u64) 1 << DEV_T_T | (u64) 1 << SIZE_T_T | \
(u64) 1 << POINTER_T | (u64) 1 << STR_ARR_T | (u64) 1 << BYTES_T | (u64) 1 << U16_T | \
(u64) 1 << CRED_T | (u64) 1 << UINT64_ARR_T | (u64) 1 << U8_T)
(u64) 1 << U16_T | (u64) 1 << U8_T | (u64) 1 << UINT64_ARR_T | (u64) 1 << POINTER_T | \
(u64) 1 << BYTES_T | (u64) 1 << STR_ARR_T| (u64) 1 << U8_T)

#define ARG_TYPE_MAX_ARRAY (u8) TIMESPEC_T // last element defined in argument_type_e

Expand All @@ -359,20 +361,16 @@ static u8 type_size_table[ARG_TYPE_MAX_ARRAY + 1] = {
[UINT_T] = sizeof(unsigned int),
[LONG_T] = sizeof(long),
[ULONG_T] = sizeof(unsigned long),
[OFF_T_T] = sizeof(off_t),
[MODE_T_T] = sizeof(mode_t),
[DEV_T_T] = sizeof(dev_t),
[SIZE_T_T] = sizeof(size_t),
[U16_T] = sizeof(unsigned short),
[U8_T] = sizeof(unsigned char),
[INT_ARR_2_T] = sizeof(int[2]),
[UINT64_ARR_T] = 0,
[POINTER_T] = sizeof(void *),
[BYTES_T] = 0,
[STR_T] = 0,
[STR_ARR_T] = 0,
[SOCKADDR_T] = sizeof(short),
[BYTES_T] = 0,
[U16_T] = sizeof(u16),
[CRED_T] = sizeof(struct cred),
[INT_ARR_2_T] = sizeof(int[2]),
[UINT64_ARR_T] = 0,
[U8_T] = sizeof(u8),
[TIMESPEC_T] = 0,
};

Expand Down
36 changes: 16 additions & 20 deletions pkg/ebpf/c/types.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -158,26 +158,22 @@ typedef struct args {
// pkg/bufferdecoder/eventsreader.go.
enum argument_type_e
{
NONE_T = 0UL,
INT_T,
UINT_T,
LONG_T,
ULONG_T,
OFF_T_T,
MODE_T_T,
DEV_T_T,
SIZE_T_T,
POINTER_T,
STR_T,
STR_ARR_T,
SOCKADDR_T,
BYTES_T,
U16_T,
CRED_T,
INT_ARR_2_T,
UINT64_ARR_T,
U8_T,
TIMESPEC_T,
NONE_T = 0UL, // Default value - the argument does not originate from a decodable buffer.
INT_T,
UINT_T,
LONG_T,
ULONG_T,
U16_T,
U8_T,
INT_ARR_2_T,
UINT64_ARR_T,
POINTER_T,
BYTES_T,
STR_T,
STR_ARR_T,
SOCKADDR_T,
CRED_T,
TIMESPEC_T,
TYPE_MAX = 255UL
};

Expand Down
Loading

0 comments on commit d48f44c

Please sign in to comment.