Topics

Access to struct with kprobe

Bilal
 

Dear  all

I'm a student at Paris-VI Univercity  and currently I'm working on a project involving eBPF with linux network stack ,and I need some guidence.

If we attach the eBPF program to a kprobe ,and try to access to a structure that does not exist in the declaration of the fucntion on linux kernel ,how the eBPF instance will behave in this case ?

(exp: kprobe__inet_sendmsg(struct pt_regs *ctx, struct sock *sk)
//
int
 inet_sendmsg(struct socket *sock, struct msghdr *msg, size_t size)
// I know that we can access to the "struct sock" through the "struct socket"  )

Thanks in advance for your help ,

Best regards 

Bilal ,


Yonghong Song
 

On Wed, Apr 18, 2018 at 9:17 AM, Aharram Bilal via iovisor-dev
<iovisor-dev@...> wrote:
Dear all

I'm a student at Paris-VI Univercity and currently I'm working on a project
involving eBPF with linux network stack ,and I need some guidence.

If we attach the eBPF program to a kprobe ,and try to access to a structure
that does not exist in the declaration of the fucntion on linux kernel ,how
the eBPF instance will behave in this case ?
You can access through arguments or through "current" task pointer.
What exactly you want access on which kprobe? More information will help
people to understand your problems.


(exp: kprobe__inet_sendmsg(struct pt_regs *ctx, struct sock *sk)
//

int

inet_sendmsg(struct socket *sock, struct msghdr *msg, size_t size)

// I know that we can access to the "struct sock" through the "struct
socket" )

Thanks in advance for your help ,

Best regards

Bilal ,



_______________________________________________
iovisor-dev mailing list
iovisor-dev@...
https://lists.iovisor.org/mailman/listinfo/iovisor-dev

Teng Qin
 

BPF does not understand function signature. BPF program has access to
the register context (struct pt_regs *ctx).

If you use BCC, when you initiate (compile) your BPF program, the
compiler rewrites the function argument accesses to the corresponding
access to registers according to the calling convention (see
https://github.com/iovisor/bcc/blob/master/src/cc/export/helpers.h#L639
for different archs). For example, on x64 and your inet_sendmsg
function, your access to sock->some_field will be translated to
*(ctx->di + offsetof(struct socket, some_field)).

To answer your question in short word, if you are accessing third
argument and it doesn't exist, you will be equivalently accessing the
register like ctx->dx on x64, and get whatever value it contains.

On Wed, Apr 18, 2018 at 12:17 PM, Aharram Bilal via iovisor-dev
<iovisor-dev@...> wrote:
Dear all

I'm a student at Paris-VI Univercity and currently I'm working on a project
involving eBPF with linux network stack ,and I need some guidence.

If we attach the eBPF program to a kprobe ,and try to access to a structure
that does not exist in the declaration of the fucntion on linux kernel ,how
the eBPF instance will behave in this case ?

(exp: kprobe__inet_sendmsg(struct pt_regs *ctx, struct sock *sk)
//

int

inet_sendmsg(struct socket *sock, struct msghdr *msg, size_t size)

// I know that we can access to the "struct sock" through the "struct
socket" )

Thanks in advance for your help ,

Best regards

Bilal ,



_______________________________________________
iovisor-dev mailing list
iovisor-dev@...
https://lists.iovisor.org/mailman/listinfo/iovisor-dev

Paul Chaignon
 


On Wed, Apr 18, 2018 at 6:17 PM, Aharram Bilal via iovisor-dev <iovisor-dev@...> wrote:
Dear  all

I'm a student at Paris-VI Univercity  and currently I'm working on a project involving eBPF with linux network stack ,and I need some guidence.

If we attach the eBPF program to a kprobe ,and try to access to a structure that does not exist in the declaration of the fucntion on linux kernel ,how the eBPF instance will behave in this case ?

From the "kprobe__" syntax, I'm guessing that you're using bcc. The bcc rewriter will replace the second argument of your function with a dereference on ctx (ctx->di on x86) [1]. It won't check that the type is coherent.
Then, when reading from sk, you will retrieve incorrect values and the verifier may even reject your program because you're trying to do with struct sock something that is invalid with struct socket.
 


(exp: kprobe__inet_sendmsg(struct pt_regs *ctx, struct sock *sk)
//
int
 inet_sendmsg(struct socket *sock, struct msghdr *msg, size_t size)
// I know that we can access to the "struct sock" through the "struct socket"  )

Thanks in advance for your help ,

Best regards 

Bilal ,



_______________________________________________
iovisor-dev mailing list
iovisor-dev@...
https://lists.iovisor.org/mailman/listinfo/iovisor-dev

Bilal
 

Thank you very much for your reply . it is more clear now.

Best regards

Le mer. 18 avr. 2018 18:17, Aharram Bilal <bilal.aharram@...> a écrit :

Dear  all

I'm a student at Paris-VI Univercity  and currently I'm working on a project involving eBPF with linux network stack ,and I need some guidence.

If we attach the eBPF program to a kprobe ,and try to access to a structure that does not exist in the declaration of the fucntion on linux kernel ,how the eBPF instance will behave in this case ?

(exp: kprobe__inet_sendmsg(struct pt_regs *ctx, struct sock *sk)
//
int
 inet_sendmsg(struct socket *sock, struct msghdr *msg, size_t size)
// I know that we can access to the "struct sock" through the "struct socket"  )

Thanks in advance for your help ,

Best regards 

Bilal ,