find g offset from elf

jschwinger233 · Apr 2, 2023 · a3ee0d3 · a3ee0d3
1 parent 02c813b
commit a3ee0d3
Show file tree

Hide file tree

Showing 5 changed files with 36 additions and 7 deletions.
diff --git a/elf/asm.go b/elf/asm.go
@@ -1,6 +1,8 @@
 package elf
 
 import (
+	"strings"
+
 	"github.com/pkg/errors"
 	"golang.org/x/arch/x86/x86asm"
 )
@@ -13,6 +15,23 @@ func (e *ELF) FuncInstructions(name string) (insts []x86asm.Inst, addr, offset u
 	return e.ResolveInstructions(raw), addr, offset, nil
 }
 
+func (e *ELF) FindGOffset() (offset int64, err error) {
+	insts, _, _, err := e.FuncInstructions("runtime.setg.abi0")
+	if err != nil {
+		return
+	}
+
+	for _, inst := range insts {
+		println(inst.String())
+		if strings.Contains(inst.Op.String(), "MOV") && inst.Args[0] != nil {
+			if mem, ok := inst.Args[0].(x86asm.Mem); ok && mem.Segment == x86asm.FS {
+				return mem.Disp, nil
+			}
+		}
+	}
+	return 0, errors.New("setg asm not found")
+}
+
 func (e *ELF) FuncRetOffsets(name string) (offsets []uint64, err error) {
 	insts, _, offset, err := e.FuncInstructions(name)
 	if err != nil {

diff --git a/internal/bpf/bpf.go b/internal/bpf/bpf.go
@@ -39,6 +39,7 @@ var RegisterConstants = map[string]uint8{
 
 type LoadOptions struct {
 	GoidOffset int64
+	GOffset    int64
 }
 
 type BPF struct {
@@ -50,13 +51,14 @@ func New() *BPF {
 	return &BPF{}
 }
 
-func (b *BPF) BpfConfig(fetchArgs bool, goidOffset int64) interface{} {
+func (b *BPF) BpfConfig(fetchArgs bool, goidOffset, gOffset int64) interface{} {
 	return struct {
-		GoidOffset int64
-		FetchArgs  bool
-		Padding    [7]byte
+		GoidOffset, GOffset int64
+		FetchArgs           bool
+		Padding             [7]byte
 	}{
 		GoidOffset: goidOffset,
+		GOffset:    gOffset,
 		FetchArgs:  fetchArgs,
 	}
 }
@@ -83,7 +85,7 @@ func (b *BPF) Load(uprobes []uprobe.Uprobe, opts LoadOptions) (err error) {
 			break
 		}
 	}
-	if err = spec.RewriteConstants(map[string]interface{}{"CONFIG": b.BpfConfig(fetchArgs, opts.GoidOffset)}); err != nil {
+	if err = spec.RewriteConstants(map[string]interface{}{"CONFIG": b.BpfConfig(fetchArgs, opts.GoidOffset, opts.GOffset)}); err != nil {
 		return
 	}
 	if err = spec.LoadAndAssign(b.objs, &ebpf.CollectionOptions{

diff --git a/internal/bpf/gofuncgraph.c b/internal/bpf/gofuncgraph.c
@@ -15,6 +15,7 @@ char __license[] SEC("license") = "Dual MIT/GPL";
 
 struct config {
 	__s64 goid_offset;
+	__s64 g_offset;
 	bool fetch_args;
 	__u8 padding[7];
 };
@@ -97,7 +98,7 @@ __u64 get_goid()
 	__u64 tls_base, g_addr, goid;
 	struct task_struct *task = (struct task_struct *)bpf_get_current_task();
 	bpf_probe_read_kernel(&tls_base, sizeof(tls_base), (void *)task + fsbase_off);
-	bpf_probe_read_user(&g_addr, sizeof(g_addr), (void *)(tls_base-8));
+	bpf_probe_read_user(&g_addr, sizeof(g_addr), (void *)(tls_base+CONFIG.g_offset));
 	bpf_probe_read_user(&goid, sizeof(goid), (void *)(g_addr+CONFIG.goid_offset));
 	return goid;
 }

diff --git a/internal/bpf/gofuncgraph_bpfel_x86.o b/internal/bpf/gofuncgraph_bpfel_x86.o
diff --git a/tracer.go b/tracer.go
@@ -107,7 +107,14 @@ func (t *Tracer) Start() (err error) {
 	if err != nil {
 		return
 	}
-	if err = t.bpf.Load(uprobes, bpf.LoadOptions{GoidOffset: goidOffset}); err != nil {
+	gOffset, err := t.elf.FindGOffset()
+	if err != nil {
+		return
+	}
+	if err = t.bpf.Load(uprobes, bpf.LoadOptions{
+		GoidOffset: goidOffset,
+		GOffset:    gOffset,
+	}); err != nil {
 		return
 	}
 	if err = t.bpf.Attach(t.bin, uprobes); err != nil {