Build errors concerning discoverOffsets.c

[helix-loop]

Trying to build SysinternalseBPF I get the following errors:

[ 21%] Building C object CMakeFiles/sysinternalsEBPF.dir/discoverOffsets.c.o
/path/to/SysinternalsEBPF/discoverOffsets.c: In function ‘memDumpEventCb’:
/path/to/SysinternalsEBPF/discoverOffsets.c:141:29: error: cast from pointer to integer of different size [-Werror=pointer-to-int-cast]
         memAddrs[d->type] = (uint64_t)d->addr;
                             ^
/path/to/SysinternalsEBPF/discoverOffsets.c: In function ‘isPointer’:
/path/to/SysinternalsEBPF/discoverOffsets.c:77:30: error: left shift count >= width of type [-Werror=shift-count-overflow]
 #define MAX_POINTER_DIFF (1L << 36)
                              ^~
/path/to/SysinternalsEBPF/discoverOffsets.c:175:38: note: in expansion of macro ‘MAX_POINTER_DIFF’
     if (labs(ptr - memAddrs[task]) < MAX_POINTER_DIFF) {
                                      ^~~~~~~~~~~~~~~~
/path/to/SysinternalsEBPF/discoverOffsets.c: In function ‘searchPtr’:
/path/to/SysinternalsEBPF/discoverOffsets.c:77:30: error: left shift count >= width of type [-Werror=shift-count-overflow]
 #define MAX_POINTER_DIFF (1L << 36)
                              ^~
/path/to/SysinternalsEBPF/discoverOffsets.c:432:79: note: in expansion of macro ‘MAX_POINTER_DIFF’
     return searchUint64(out, dir, type, startOffset, numElem, memAddrs[task], MAX_POINTER_DIFF);
                                                                               ^~~~~~~~~~~~~~~~
/path/to/SysinternalsEBPF/discoverOffsets.c: In function ‘searchDerefUint32’:
/path/to/SysinternalsEBPF/discoverOffsets.c:619:29: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast]
         if (!dumpStruct(to, (void *)get64(from, off[0]), DUMP_SIZE, pb)) {
                             ^
/path/to/SysinternalsEBPF/discoverOffsets.c: In function ‘getCredsOffsets’:
/path/to/SysinternalsEBPF/discoverOffsets.c:848:36: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast]
     if (!setConfigPid(child, cred, (void *)get64(task, offsets->cred[0]), DUMP_SIZE)) {
                                    ^
/path/to/SysinternalsEBPF/discoverOffsets.c: In function ‘getPwdPathOffset’:
/path/to/SysinternalsEBPF/discoverOffsets.c:927:25: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast]
     if (!dumpStruct(fs, (void *)get64(task, startOffset), DUMP_SIZE, pb)) {
                         ^
/path/to/SysinternalsEBPF/discoverOffsets.c:945:41: error: format ‘%lx’ expects argument of type ‘long unsigned int’, but argument 3 has type ‘uint64_t’ {aka ‘long long unsigned int’} [-Werror=format=]
             fprintf(stderr, "0 = 0x%016lx\n", get64(fs, offsets->pwd_path[1]));
                                    ~~~~~^     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
                                    %016llx
/path/to/SysinternalsEBPF/discoverOffsets.c:946:41: error: format ‘%lx’ expects argument of type ‘long unsigned int’, but argument 3 has type ‘uint64_t’ {aka ‘long long unsigned int’} [-Werror=format=]
             fprintf(stderr, "1 = 0x%016lx\n", get64(fs, offsets->pwd_path[1] + sizeof(uint64_t)));
                                    ~~~~~^     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
                                    %016llx
/path/to/SysinternalsEBPF/discoverOffsets.c:947:41: error: format ‘%lx’ expects argument of type ‘long unsigned int’, but argument 3 has type ‘uint64_t’ {aka ‘long long unsigned int’} [-Werror=format=]
             fprintf(stderr, "2 = 0x%016lx\n", get64(fs, offsets->pwd_path[1] + (2 * sizeof(uint64_t))));
                                    ~~~~~^     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
                                    %016llx
/path/to/SysinternalsEBPF/discoverOffsets.c:948:41: error: format ‘%lx’ expects argument of type ‘long unsigned int’, but argument 3 has type ‘uint64_t’ {aka ‘long long unsigned int’} [-Werror=format=]
             fprintf(stderr, "3 = 0x%016lx\n", get64(fs, offsets->pwd_path[1] + (3 * sizeof(uint64_t))));
                                    ~~~~~^     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
                                    %016llx
/path/to/SysinternalsEBPF/discoverOffsets.c: In function ‘getDentryNameOffset’:
/path/to/SysinternalsEBPF/discoverOffsets.c:981:29: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast]
     if (!dumpStruct(dentry, (void *)get64(fs, offsets->pwd_path[1] + offsets->path_dentry[0]), DUMP_SIZE, pb)) {
                             ^
/path/to/SysinternalsEBPF/discoverOffsets.c:1000:34: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast]
             if (!dumpStruct(pwd, (void *)get64(dentry, offsets->dentry_name[0]), DUMP_SIZE, pb)) {
                                  ^
/path/to/SysinternalsEBPF/discoverOffsets.c: In function ‘getDentryInodeOffsets’:
/path/to/SysinternalsEBPF/discoverOffsets.c:1078:28: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast]
     if (!dumpStruct(inode, (void *)get64(dentry, offsets->dentry_inode[0]), DUMP_SIZE, pb)) {
                            ^
/path/to/SysinternalsEBPF/discoverOffsets.c: In function ‘getMountOffsets’:
/path/to/SysinternalsEBPF/discoverOffsets.c:1162:28: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast]
     if (!dumpStruct(mount, (void *)get64(fs, offsets->pwd_path[1] + offsets->path_vfsmount[0]) - 512,
                            ^
/path/to/SysinternalsEBPF/discoverOffsets.c:1176:39: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast]
     if (!dumpStruct(dentryMountpoint, (void *)get64(mount, offsets->mount_mountpoint[0]), DUMP_SIZE, pb)) {
                                       ^
/path/to/SysinternalsEBPF/discoverOffsets.c: In function ‘getFdOffsets’:
/path/to/SysinternalsEBPF/discoverOffsets.c:1239:28: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast]
     if (!dumpStruct(files, (void *)get64(task, offsets->max_fds[0]), DUMP_SIZE, pb)) {
                            ^
/path/to/SysinternalsEBPF/discoverOffsets.c: In function ‘getTtyOffset’:
/path/to/SysinternalsEBPF/discoverOffsets.c:1321:30: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast]
     if (!dumpStruct(signals, (void *)get64(task, offsets->tty[0]), DUMP_SIZE, pb)) {
                              ^
/path/to/SysinternalsEBPF/discoverOffsets.c: In function ‘getMmOffsets’:
/path/to/SysinternalsEBPF/discoverOffsets.c:1477:25: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast]
     if (!dumpStruct(mm, (void *)get64(task, offsets->mm_arg_start[0]), DUMP_SIZE, pb)) {
                         ^
/path/to/SysinternalsEBPF/discoverOffsets.c:1483:71: error: cast from pointer to integer of different size [-Werror=pointer-to-int-cast]
     if (searchUint64(&offsets->mm_arg_start[1], forwards, mm, 0, 128, (uint64_t)argv[0], 0)) {
                                                                       ^
/path/to/SysinternalsEBPF/discoverOffsets.c: In function ‘getExePathOffset’:
/path/to/SysinternalsEBPF/discoverOffsets.c:1573:42: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast]
                 if (!dumpStruct(exeFile, (void *)get64(mm, startOffset), DUMP_SIZE, pb)) {
                                          ^
/path/to/SysinternalsEBPF/discoverOffsets.c:1579:48: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast]
                     if (!dumpStruct(exeDentry, (void *)dentry, DUMP_SIZE, pb)) {
                                                ^
/path/to/SysinternalsEBPF/discoverOffsets.c:1584:46: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast]
                     if (!dumpStruct(exeName, (void *)exe_dname, DUMP_SIZE, pb)) {
                                              ^
/path/to/SysinternalsEBPF/discoverOffsets.c: In function ‘getSkbOffsets’:
/path/to/SysinternalsEBPF/discoverOffsets.c:77:30: error: left shift count >= width of type [-Werror=shift-count-overflow]
 #define MAX_POINTER_DIFF (1L << 36)
                              ^~
/path/to/SysinternalsEBPF/discoverOffsets.c:1663:39: note: in expansion of macro ‘MAX_POINTER_DIFF’
         if (near(addr, memAddrs[skb], MAX_POINTER_DIFF)) {
                                       ^~~~~~~~~~~~~~~~
/path/to/SysinternalsEBPF/discoverOffsets.c:1664:31: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast]
             setConfig(skdata, (const void *)(uint64_t)startOffset, 36);
                               ^
cc1: all warnings being treated as errors
make[2]: *** [CMakeFiles/sysinternalsEBPF.dir/build.make:91: CMakeFiles/sysinternalsEBPF.dir/discoverOffsets.c.o] error 1
make[1]: *** [CMakeFiles/Makefile2:73: CMakeFiles/sysinternalsEBPF.dir/all] error 2
make: *** [Makefile:130: all] error 2

Guessing it has to do with autodiscovery of offsets https://github.com/Sysinternals/SysinternalsEBPF#autodiscovery-of-offsets I already built the sysinternalsEBPF_offsets.conf file as described in the README of getOffsets via make conf to /path/to/sysinternalsEBPF/sysinternalsEBPF_offsets.conf. It seems to me that the file is ignored in subsequent builds though?

OS
Debian 10 Buster

Kernel
5.10.60 on armhf

[MarioHewardt]

Hi - thanks for reporting this. We haven't yet tested Sysmon for Linux on ARM and I suspect the issues you are running into are a result of that. I'm tagging this as an enhancement.

[mebuis]

how to solve it. i have meet the same problem in ubuntu18.04(i386 32bit)

[MarioHewardt]

Hi - Sysmon for Linux is currently only available on amd64. We haven't tested/fixed for other architectures yet.