pkg/ebpf: fix bug in support for arg types (aquasecurity#2228)

In tracee.bpf.c we use arg types to determine syscall arguments. Recent feature changed arguments types enum values, causing bug in argument parsing of syscalls. This commit fix this issue and add unsupported basic types should be supported in parsing.
MattGrol · Oct 11, 2022 · f363f1c · f363f1c
1 parent dd41bad
commit f363f1c
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 1 deletion.
diff --git a/pkg/bufferdecoder/eventsreader.go b/pkg/bufferdecoder/eventsreader.go
@@ -18,7 +18,6 @@ type ArgType uint8
 
 const (
 	noneT ArgType = iota
-	u8T
 	intT
 	uintT
 	longT
@@ -36,6 +35,7 @@ const (
 	credT
 	intArr2T
 	uint64ArrT
+	u8T
 )
 
 // These types don't match the ones defined in the ebpf code since they are not being used by syscalls arguments.

diff --git a/pkg/ebpf/c/tracee.bpf.c b/pkg/ebpf/c/tracee.bpf.c
@@ -157,6 +157,7 @@ enum argument_type_e
     CRED_T,
     INT_ARR_2_T,
     UINT64_ARR_T,
+    U8_T,
     TYPE_MAX = 255UL
 };
 
@@ -2443,6 +2444,12 @@ static __always_inline int save_args_to_submit_buf(event_data_t *data, u64 types
             case POINTER_T:
                 size = sizeof(void *);
                 break;
+            case U8_T:
+                size = sizeof(u8);
+                break;
+            case U16_T:
+                size = sizeof(u16);
+                break;
             case STR_T:
                 rc = save_str_to_buf(data, (void *) args->args[i], index);
                 break;
-Original file line number
+Diff line change
@@ Expand Up / @@ -18,7 +18,6 @@ type ArgType uint8 @@
     const (
     	noneT ArgType = iota
-    	u8T
     	intT
     	uintT
     	longT
@@ Expand All / @@ -36,6 +35,7 @@ const ( @@
     	credT
     	intArr2T
     	uint64ArrT
+    	u8T
     )
     // These types don't match the ones defined in the ebpf code since they are not being used by syscalls arguments.
@@ Expand Down @@