diff --git a/driver/bpf/fillers.h b/driver/bpf/fillers.h index d08251bcc4..4a7f3e6e9b 100644 --- a/driver/bpf/fillers.h +++ b/driver/bpf/fillers.h @@ -1039,8 +1039,8 @@ FILLER(sys_getrlimit_x, true) { unsigned long val; long retval; - s64 cur; - s64 max; + int64_t cur; + int64_t max; int res; /* Parameter 1: ret (type: PT_ERRNO) */ @@ -1051,16 +1051,12 @@ FILLER(sys_getrlimit_x, true) /* * Copy the user structure and extract cur and max */ - if(retval >= 0){ - struct rlimit rl; - + if(retval == 0){ + struct rlimit rl = {0}; val = bpf_syscall_get_argument(data, 1); - if(bpf_probe_read_user(&rl, sizeof(rl), (void *)val)) - return PPM_FAILURE_INVALID_USER_MEMORY; - + bpf_probe_read_user(&rl, sizeof(rl), (void *)val); cur = rl.rlim_cur; max = rl.rlim_max; - } else { cur = -1; max = -1; @@ -1070,7 +1066,7 @@ FILLER(sys_getrlimit_x, true) res = bpf_push_s64_to_ring(data, cur); CHECK_RES(res); - /* Parameter 3: max (type: PT_ERRNO) */ + /* Parameter 3: max (type: PT_INT64) */ return bpf_push_s64_to_ring(data, max); } @@ -1090,22 +1086,21 @@ FILLER(sys_setrlimit_x, true) /* * Copy the user structure and extract cur and max */ - struct rlimit rl = {0}; - - val = bpf_syscall_get_argument(data, 1); - bpf_probe_read_user(&rl, sizeof(rl), (void *)val); - cur = rl.rlim_cur; - max = rl.rlim_max; + struct rlimit rl = {0}; + val = bpf_syscall_get_argument(data, 1); + bpf_probe_read_user(&rl, sizeof(rl), (void *)val); + cur = rl.rlim_cur; + max = rl.rlim_max; /* Parameter 2: cur (type: PT_INT64) */ res = bpf_push_s64_to_ring(data, cur); CHECK_RES(res); - /* Parameter 3: max (type: PT_ERRNO) */ + /* Parameter 3: max (type: PT_INT64) */ res = bpf_push_s64_to_ring(data, max); CHECK_RES(res); - /* Parameter 4: resource (type: PT_ERRNO) */ + /* Parameter 4: resource (type: PT_ENUMFLAGS8) */ uint32_t resource = bpf_syscall_get_argument(data, 0); return bpf_push_u8_to_ring(data, rlimit_resource_to_scap(resource)); } @@ -3859,67 +3854,58 @@ FILLER(sys_prlimit_e, true) FILLER(sys_prlimit_x, true) { unsigned long val; - struct rlimit rl; - long retval; - int64_t newcur; - int64_t newmax; - int64_t oldcur; - int64_t oldmax; - int res; - /* Parameter 1: res */ - retval = bpf_syscall_get_retval(data->ctx); - res = bpf_push_s64_to_ring(data, retval); + /* Parameter 1: res (type: PT_ERRNO) */ + long retval = bpf_syscall_get_retval(data->ctx); + int res = bpf_push_s64_to_ring(data, retval); CHECK_RES(res); /* * Copy the user structure and extract cur and max */ - if (retval >= 0) { - val = bpf_syscall_get_argument(data, 2); - if (bpf_probe_read_user(&rl, sizeof(rl), (void *)val)) { - newcur = -1; - newmax = -1; - } else { - newcur = rl.rlim_cur; - newmax = rl.rlim_max; - } - } else { - newcur = -1; - newmax = -1; - } - - val = bpf_syscall_get_argument(data, 3); - if (bpf_probe_read_user(&rl, sizeof(rl), (void *)val)) { - oldcur = -1; - oldmax = -1; - } else { - oldcur = rl.rlim_cur; - oldmax = rl.rlim_max; - } + struct rlimit new_rlimit = {0}; + val = bpf_syscall_get_argument(data, 2); + bpf_probe_read_user(&new_rlimit, sizeof(new_rlimit), (void *)val); - /* Parameter 2: newcur */ - res = bpf_push_s64_to_ring(data, newcur); + /* Parameter 2: newcur (type: PT_INT64) */ + res = bpf_push_s64_to_ring(data, new_rlimit.rlim_cur); CHECK_RES(res); - /* Parameter 3: newmax */ - res = bpf_push_s64_to_ring(data, newmax); + /* Parameter 3: newmax (type: PT_INT64) */ + res = bpf_push_s64_to_ring(data, new_rlimit.rlim_max); CHECK_RES(res); - /* Parameter 4: oldcur */ - res = bpf_push_s64_to_ring(data, oldcur); - CHECK_RES(res); + struct rlimit old_rlimit = {0}; + if(retval == 0) + { + val = bpf_syscall_get_argument(data, 3); + bpf_probe_read_user(&old_rlimit, sizeof(old_rlimit), (void *)val); - /* Parameter 5: oldmax */ - res = bpf_push_s64_to_ring(data, oldmax); - CHECK_RES(res); + /* Parameter 4: oldcur (type: PT_INT64) */ + res = bpf_push_s64_to_ring(data, old_rlimit.rlim_cur); + CHECK_RES(res); + + /* Parameter 5: oldmax (type: PT_INT64) */ + res = bpf_push_s64_to_ring(data, old_rlimit.rlim_max); + CHECK_RES(res); + } + else + { + /* Parameter 4: oldcur (type: PT_INT64) */ + res = bpf_push_s64_to_ring(data, -1); + CHECK_RES(res); + + /* Parameter 5: oldmax (type: PT_INT64) */ + res = bpf_push_s64_to_ring(data, -1); + CHECK_RES(res); + } - /* Parameter 6: pid */ + /* Parameter 6: pid (type: PT_PID) */ pid_t pid = bpf_syscall_get_argument(data, 0); res = bpf_push_s64_to_ring(data, (s64)pid); CHECK_RES(res); - /* Parameter 7: resource */ + /* Parameter 7: resource (type: PT_ENUMFLAGS8) */ uint32_t resource = bpf_syscall_get_argument(data, 1); return bpf_push_u8_to_ring(data, rlimit_resource_to_scap(resource)); } diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/prlimit64.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/prlimit64.bpf.c index fd4399fe5e..ae2c8647d2 100644 --- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/prlimit64.bpf.c +++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/prlimit64.bpf.c @@ -80,13 +80,21 @@ int BPF_PROG(prlimit64_x, { rlimit_pointer = extract__syscall_argument(regs, 3); bpf_probe_read_user((void *)&old_rlimit, bpf_core_type_size(struct rlimit), (void *)rlimit_pointer); - } - /* Parameter 4: oldcur (type: PT_INT64) */ - ringbuf__store_s64(&ringbuf, old_rlimit.rlim_cur); + /* Parameter 4: oldcur (type: PT_INT64) */ + ringbuf__store_s64(&ringbuf, old_rlimit.rlim_cur); - /* Parameter 5: oldmax (type: PT_INT64) */ - ringbuf__store_s64(&ringbuf, old_rlimit.rlim_max); + /* Parameter 5: oldmax (type: PT_INT64) */ + ringbuf__store_s64(&ringbuf, old_rlimit.rlim_max); + } + else + { + /* Parameter 4: oldcur (type: PT_INT64) */ + ringbuf__store_s64(&ringbuf, -1); + + /* Parameter 5: oldmax (type: PT_INT64) */ + ringbuf__store_s64(&ringbuf, -1); + } /* Parameter 6: pid (type: PT_PID) */ pid_t pid = (s32)extract__syscall_argument(regs, 0); diff --git a/driver/ppm_fillers.c b/driver/ppm_fillers.c index 6a329497c8..9bdacf264f 100644 --- a/driver/ppm_fillers.c +++ b/driver/ppm_fillers.c @@ -4085,9 +4085,9 @@ int f_sys_getrlimit_x(struct event_filler_arguments *args) { unsigned long val; int res; int64_t retval; - struct rlimit rl; + struct rlimit rl = {0}; #ifdef CONFIG_COMPAT - struct compat_rlimit compat_rl; + struct compat_rlimit compat_rl = {0}; #endif int64_t cur; int64_t max; @@ -4100,8 +4100,8 @@ int f_sys_getrlimit_x(struct event_filler_arguments *args) { /* * Copy the user structure and extract cur and max */ -if(retval >= 0) { - + if(retval == 0) + { syscall_get_arguments_deprecated(args, 1, 1, &val); #ifdef CONFIG_COMPAT @@ -4109,18 +4109,29 @@ if(retval >= 0) { { #endif if(unlikely(ppm_copy_from_user(&rl, (const void __user *)val, sizeof(struct rlimit)))) - return PPM_FAILURE_INVALID_USER_MEMORY; - cur = rl.rlim_cur; - max = rl.rlim_max; + { + cur = 0; + max = 0; + } + else + { + cur = rl.rlim_cur; + max = rl.rlim_max; + } #ifdef CONFIG_COMPAT } else { - if(unlikely(ppm_copy_from_user(&compat_rl, (const void __user *)compat_ptr(val), - sizeof(struct compat_rlimit)))) - return PPM_FAILURE_INVALID_USER_MEMORY; - cur = compat_rl.rlim_cur; - max = compat_rl.rlim_max; + if(unlikely(ppm_copy_from_user(&compat_rl, (const void __user *)compat_ptr(val), sizeof(struct compat_rlimit)))) + { + cur = 0; + max = 0; + } + else + { + cur = compat_rl.rlim_cur; + max = compat_rl.rlim_max; + } } #endif } @@ -4141,15 +4152,13 @@ if(retval >= 0) { return add_sentinel(args); } - - int f_sys_setrlimit_x(struct event_filler_arguments *args) { unsigned long val; int res; int64_t retval; #ifdef CONFIG_COMPAT - struct compat_rlimit compat_rl; + struct compat_rlimit compat_rl = {0}; #endif int64_t cur; int64_t max; @@ -4163,24 +4172,23 @@ int f_sys_setrlimit_x(struct event_filler_arguments *args) /* * Copy the user structure and extract cur and max */ - syscall_get_arguments_deprecated(args, 1, 1, &val); + syscall_get_arguments_deprecated(args, 1, 1, &val); #ifdef CONFIG_COMPAT - if (!args->compat) { + if (!args->compat) { #endif - ppm_copy_from_user(&rl, (const void __user *)val, sizeof(struct rlimit)); - cur = rl.rlim_cur; - max = rl.rlim_max; + ppm_copy_from_user(&rl, (const void __user *)val, sizeof(struct rlimit)); + cur = rl.rlim_cur; + max = rl.rlim_max; #ifdef CONFIG_COMPAT - } else { - if (unlikely(ppm_copy_from_user(&compat_rl, (const void __user *)compat_ptr(val), sizeof(struct compat_rlimit)))) - return PPM_FAILURE_INVALID_USER_MEMORY; - cur = compat_rl.rlim_cur; - max = compat_rl.rlim_max; - } + } else { + ppm_copy_from_user(&compat_rl, (const void __user *)compat_ptr(val), sizeof(struct compat_rlimit)); + cur = compat_rl.rlim_cur; + max = compat_rl.rlim_max; + } #endif - /* Parameter 2: curr (type: PT_INT64) */ + /* Parameter 2: cur (type: PT_INT64) */ res = val_to_ring(args, cur, 0, false, 0); CHECK_RES(res); @@ -4221,9 +4229,9 @@ int f_sys_prlimit_x(struct event_filler_arguments *args) unsigned long val; int res; int64_t retval; - struct rlimit rl; + struct rlimit rl = {0}; #ifdef CONFIG_COMPAT - struct compat_rlimit compat_rl; + struct compat_rlimit compat_rl = {0}; #endif int64_t newcur; int64_t newmax; @@ -4239,65 +4247,68 @@ int f_sys_prlimit_x(struct event_filler_arguments *args) /* * Copy the user structure and extract cur and max */ - if (retval >= 0) { - syscall_get_arguments_deprecated(args, 2, 1, &val); -#ifdef CONFIG_COMPAT - if (!args->compat) { -#endif - if (unlikely(ppm_copy_from_user(&rl, (const void __user *)val, sizeof(struct rlimit)))) { - newcur = -1; - newmax = -1; - } else { - newcur = rl.rlim_cur; - newmax = rl.rlim_max; - } -#ifdef CONFIG_COMPAT - } else { - if (unlikely(ppm_copy_from_user(&compat_rl, (const void __user *)val, sizeof(struct compat_rlimit)))) { - newcur = -1; - newmax = -1; - } else { - newcur = compat_rl.rlim_cur; - newmax = compat_rl.rlim_max; - } - } -#endif - } else { - newcur = -1; - newmax = -1; - } - - syscall_get_arguments_deprecated(args, 3, 1, &val); + syscall_get_arguments_deprecated(args, 2, 1, &val); #ifdef CONFIG_COMPAT if (!args->compat) { #endif - if (unlikely(ppm_copy_from_user(&rl, (const void __user *)val, sizeof(struct rlimit)))) { - oldcur = -1; - oldmax = -1; - } else { - oldcur = rl.rlim_cur; - oldmax = rl.rlim_max; - } + ppm_copy_from_user(&rl, (const void __user *)val, sizeof(struct rlimit)); + newcur = rl.rlim_cur; + newmax = rl.rlim_max; #ifdef CONFIG_COMPAT } else { - if (unlikely(ppm_copy_from_user(&compat_rl, (const void __user *)val, sizeof(struct compat_rlimit)))) { - oldcur = -1; - oldmax = -1; - } else { - oldcur = compat_rl.rlim_cur; - oldmax = compat_rl.rlim_max; - } + ppm_copy_from_user(&compat_rl, (const void __user *)val, sizeof(struct compat_rlimit)); + newcur = compat_rl.rlim_cur; + newmax = compat_rl.rlim_max; } #endif + /* Parameter 2: newcur (type: PT_INT64) */ res = val_to_ring(args, newcur, 0, false, 0); CHECK_RES(res); - CHECK_RES(res); /* Parameter 3: newmax (type: PT_INT64) */ res = val_to_ring(args, newmax, 0, false, 0); CHECK_RES(res); - CHECK_RES(res); + + if(retval == 0) + { + syscall_get_arguments_deprecated(args, 3, 1, &val); + +#ifdef CONFIG_COMPAT + if (!args->compat) { +#endif + if (unlikely(ppm_copy_from_user(&rl, (const void __user *)val, sizeof(struct rlimit)))) + { + oldcur = 0; + oldmax = 0; + } + else + { + oldcur = rl.rlim_cur; + oldmax = rl.rlim_max; + } +#ifdef CONFIG_COMPAT + } + else + { + if (unlikely(ppm_copy_from_user(&compat_rl, (const void __user *)val, sizeof(struct compat_rlimit)))) + { + oldcur = 0; + oldmax = 0; + } + else + { + oldcur = compat_rl.rlim_cur; + oldmax = compat_rl.rlim_max; + } + } +#endif + } + else + { + oldcur = -1; + oldmax = -1; + } /* Parameter 4: oldcur (type: PT_INT64) */ res = val_to_ring(args, oldcur, 0, false, 0); @@ -4307,7 +4318,7 @@ int f_sys_prlimit_x(struct event_filler_arguments *args) res = val_to_ring(args, oldmax, 0, false, 0); CHECK_RES(res); - /* Parameter 6: pid (type: PT_INT64) */ + /* Parameter 6: pid (type: PT_PID) */ syscall_get_arguments_deprecated(args, 0, 1, &val); pid = (s32)val; res = val_to_ring(args, (s64)pid, 0, false, 0); diff --git a/driver/ppm_flag_helpers.h b/driver/ppm_flag_helpers.h index fb1c03f03e..72e33b35db 100644 --- a/driver/ppm_flag_helpers.h +++ b/driver/ppm_flag_helpers.h @@ -1293,9 +1293,9 @@ static __always_inline uint32_t access_flags_to_scap(unsigned flags) return res; } -static __always_inline u8 rlimit_resource_to_scap(uint32_t rresource) +static __always_inline u8 rlimit_resource_to_scap(uint32_t resource) { - switch (rresource) { + switch (resource) { case RLIMIT_CPU: return PPM_RLIMIT_CPU; case RLIMIT_FSIZE: diff --git a/test/drivers/test_suites/syscall_exit_suite/getrlimit_x.cpp b/test/drivers/test_suites/syscall_exit_suite/getrlimit_x.cpp index 764b668139..c1f7311dd8 100644 --- a/test/drivers/test_suites/syscall_exit_suite/getrlimit_x.cpp +++ b/test/drivers/test_suites/syscall_exit_suite/getrlimit_x.cpp @@ -47,7 +47,7 @@ TEST(SyscallExit, getrlimitX_success) evt_test->assert_num_params_pushed(3); } -TEST(SyscallExit, getrlimitX_failure) +TEST(SyscallExit, getrlimitX_wrong_resource) { auto evt_test = get_syscall_event_test(__NR_getrlimit, EXIT_EVENT); @@ -80,6 +80,51 @@ TEST(SyscallExit, getrlimitX_failure) /* Parameter 1: res (type: PT_ERRNO) */ evt_test->assert_numeric_param(1, (int64_t)errno_value); + // The syscall fails so we expect `-1` + + /* Parameter 2: cur (type: PT_INT64) */ + evt_test->assert_numeric_param(2, (int64_t)-1); + + /* Parameter 3: max (type: PT_INT64) */ + evt_test->assert_numeric_param(3, (int64_t)-1); + + /*=============================== ASSERT PARAMETERS ===========================*/ + + evt_test->assert_num_params_pushed(3); +} + +TEST(SyscallExit, getrlimitX_null_rlimit_pointer) +{ + auto evt_test = get_syscall_event_test(__NR_getrlimit, EXIT_EVENT); + + evt_test->enable_capture(); + + /*=============================== TRIGGER SYSCALL ===========================*/ + + int resource = RLIMIT_NOFILE; + assert_syscall_state(SYSCALL_FAILURE, "getrlimit", syscall(__NR_getrlimit, resource, NULL)); + int64_t errno_value = -errno; + + /*=============================== TRIGGER SYSCALL ===========================*/ + + evt_test->disable_capture(); + + evt_test->assert_event_presence(); + + if(HasFatalFailure()) + { + return; + } + + evt_test->parse_event(); + + evt_test->assert_header(); + + /*=============================== ASSERT PARAMETERS ===========================*/ + + /* Parameter 1: res (type: PT_ERRNO) */ + evt_test->assert_numeric_param(1, (int64_t)errno_value); + /* Parameter 2: cur (type: PT_INT64) */ evt_test->assert_numeric_param(2, (int64_t)-1); diff --git a/test/drivers/test_suites/syscall_exit_suite/prlimit64_x.cpp b/test/drivers/test_suites/syscall_exit_suite/prlimit64_x.cpp index d0b75d2953..45e11a1d7c 100644 --- a/test/drivers/test_suites/syscall_exit_suite/prlimit64_x.cpp +++ b/test/drivers/test_suites/syscall_exit_suite/prlimit64_x.cpp @@ -4,7 +4,7 @@ #include -TEST(SyscallExit, prlimit64X) +TEST(SyscallExit, prlimit64X_success) { auto evt_test = get_syscall_event_test(__NR_prlimit64, EXIT_EVENT); @@ -68,4 +68,63 @@ TEST(SyscallExit, prlimit64X) evt_test->assert_num_params_pushed(7); } + +TEST(SyscallExit, prlimit64X_failure) +{ + auto evt_test = get_syscall_event_test(__NR_prlimit64, EXIT_EVENT); + + evt_test->enable_capture(); + + /*=============================== TRIGGER SYSCALL ===========================*/ + + pid_t pid = -1; + assert_syscall_state(SYSCALL_FAILURE, "prlimit64", syscall(__NR_prlimit64, pid, RLIMIT_RSS, NULL, NULL)); + int64_t errno_value = -errno; + + /*=============================== TRIGGER SYSCALL ===========================*/ + + evt_test->disable_capture(); + + evt_test->assert_event_presence(); + + if(HasFatalFailure()) + { + return; + } + + evt_test->parse_event(); + + evt_test->assert_header(); + + /*=============================== ASSERT PARAMETERS ===========================*/ + + /* Parameter 1: res (type: PT_ERRNO) */ + evt_test->assert_numeric_param(1, errno_value); + + // The new limits are set by the user so we always read what the user sets + + /* Parameter 2: newcur (type: PT_INT64) */ + evt_test->assert_numeric_param(2, (int64_t)0); + + /* Parameter 3: newmax (type: PT_INT64) */ + evt_test->assert_numeric_param(3, (int64_t)0); + + // The old limits are read by the kernel so when the syscall fails we return `-1` + + /* Parameter 4: oldcur (type: PT_INT64) */ + evt_test->assert_numeric_param(4, (int64_t)-1); + + /* Parameter 5: oldmax (type: PT_INT64) */ + evt_test->assert_numeric_param(5, (int64_t)-1); + + /* Parameter 6: pid (type: PT_INT64) */ + evt_test->assert_numeric_param(6, (int64_t)pid); + + /* Parameter 7: resource (type: PT_ENUMFLAGS8) */ + evt_test->assert_numeric_param(7, (uint8_t)PPM_RLIMIT_RSS); + + /*=============================== ASSERT PARAMETERS ===========================*/ + + evt_test->assert_num_params_pushed(7); +} #endif diff --git a/test/drivers/test_suites/syscall_exit_suite/setrlimit_x.cpp b/test/drivers/test_suites/syscall_exit_suite/setrlimit_x.cpp index 7339e31b65..6ae90107b1 100644 --- a/test/drivers/test_suites/syscall_exit_suite/setrlimit_x.cpp +++ b/test/drivers/test_suites/syscall_exit_suite/setrlimit_x.cpp @@ -4,7 +4,7 @@ #include -TEST(SyscallExit, setrlimitX_failure) +TEST(SyscallExit, setrlimitX_null_rlimit_pointer) { auto evt_test = get_syscall_event_test(__NR_setrlimit, EXIT_EVENT); @@ -12,8 +12,60 @@ TEST(SyscallExit, setrlimitX_failure) /*=============================== TRIGGER SYSCALL ===========================*/ + // In case of `NULL` rlimit pointer we expect `cur` and `max` equal to `0` + // The syscall will fail and a NULL pointer is equivalent to all `0`. + int resource = RLIMIT_NOFILE; + assert_syscall_state(SYSCALL_FAILURE, "setrlimit", syscall(__NR_setrlimit, resource, NULL)); + int64_t errno_value = -errno; + + /*=============================== TRIGGER SYSCALL ===========================*/ + + evt_test->disable_capture(); + + evt_test->assert_event_presence(); + + if(HasFatalFailure()) + { + return; + } + + evt_test->parse_event(); + + evt_test->assert_header(); + + /*=============================== ASSERT PARAMETERS ===========================*/ + + /* Parameter 1: res (type: PT_ERRNO) */ + evt_test->assert_numeric_param(1, (int64_t)errno_value); + + /* Parameter 2: cur (type: PT_INT64) */ + evt_test->assert_numeric_param(2, (int64_t)0); + + /* Parameter 3: max (type: PT_INT64) */ + evt_test->assert_numeric_param(3, (int64_t)0); + + /* Parameter 4: resource (type: PT_ENUMFLAGS8) */ + evt_test->assert_numeric_param(4, (uint8_t)resource); + + /*=============================== ASSERT PARAMETERS ===========================*/ + + evt_test->assert_num_params_pushed(4); +} + +TEST(SyscallExit, setrlimitX_wrong_resource) +{ + auto evt_test = get_syscall_event_test(__NR_setrlimit, EXIT_EVENT); + + evt_test->enable_capture(); + + /*=============================== TRIGGER SYSCALL ===========================*/ + + // In case of a wrong resource we expect that `cur` and `max` are populated. + // The syscall will fail but we will catch what the user passes in any case. int resource = -1; - struct rlimit rlim = {0}; + struct rlimit rlim; + rlim.rlim_cur = 50; + rlim.rlim_max = 10020; assert_syscall_state(SYSCALL_FAILURE, "setrlimit", syscall(__NR_setrlimit, resource, &rlim)); int64_t errno_value = -errno;