Hello everyone,

I'll start with some backstory first: I wrote my own BPF library to trace functions/syscalls and yesterday I noticed that I am sometimes receiving broken openat() tracepoint data. This happens randomly, often when processes are created in a short burst (like opening a new terminal instance with zsh + oh-my-zsh installed).

I initially thought it was my fault, and proceeded to debug the generated IR code and double check my tracepoint data definition (which, for reference, can be found here: https://github.com/trailofbits/ebpfpub/blob/master/ebpfpub/src/tracepointserializers.cpp#L425). I ended up giving up, not finding the reason this was failing.

Today, I have tried to replicate the same functionality using BCC so I could compare the output with my library and I ended up inside the same weird behavior:

Full script here: https://gist.github.com/alessandrogario/968b9c3ea78559f470bc650c8496449e#file-bcc_openat_tracepoint-py

--
bpf_trace_printk("sys_enter_openat mode:%ld "
"filename:%s (%ld)\\n",
args->mode,
args->filename,
args->filename);

2608.223222000 b'git' 8998 b'sys_enter_openat mode:0 filename: (93849603522670)
--

I was able to replicate this problem on Ubuntu 20.20 (5.4.0), Arch Linux (5.7.9) and Ubuntu 19.10 (5.3.0).

Has anyone ever encountered this problem, or has a few pointers as to why it happening?

Thanks!

Alessandro