fix listen syscall backlog field size

Reported by: github issue #515 Signed-off-by: Ofer Heifetz <oheifetz@gmail.com>
falcosecurity · Jul 20, 2023 · 9925b64 · 9925b64
1 parent dca4292
commit 9925b64
Show file tree

Hide file tree

Showing 14 changed files with 30 additions and 25 deletions.
diff --git a/driver/event_stats.h b/driver/event_stats.h
@@ -1,7 +1,7 @@
 #pragma once
 
 /* These numbers must be updated when we add new events in the event table */
-#define SYSCALL_EVENTS_NUM 362
+#define SYSCALL_EVENTS_NUM 364
 #define TRACEPOINT_EVENTS_NUM 6
 #define METAEVENTS_NUM 20
 #define PLUGIN_EVENTS_NUM 1

diff --git a/driver/event_table.c b/driver/event_table.c
@@ -71,8 +71,10 @@ const struct ppm_event_info g_event_info[] = {
 	[PPME_SOCKET_BIND_X] = {"bind", EC_NET | EC_SYSCALL, EF_USES_FD | EF_MODIFIES_STATE, 2, {{"res", PT_ERRNO, PF_DEC}, {"addr", PT_SOCKADDR, PF_NA} } },
 	[PPME_SOCKET_CONNECT_E] = {"connect", EC_NET | EC_SYSCALL, EF_USES_FD | EF_MODIFIES_STATE, 2, {{"fd", PT_FD, PF_DEC}, {"addr", PT_SOCKADDR, PF_NA} } },
 	[PPME_SOCKET_CONNECT_X] = {"connect", EC_NET | EC_SYSCALL, EF_USES_FD | EF_MODIFIES_STATE, 3, {{"res", PT_ERRNO, PF_DEC}, {"tuple", PT_SOCKTUPLE, PF_NA}, {"fd", PT_FD, PF_DEC } } },
-	[PPME_SOCKET_LISTEN_E] = {"listen", EC_NET | EC_SYSCALL, EF_USES_FD, 2, {{"fd", PT_FD, PF_DEC}, {"backlog", PT_UINT32, PF_DEC} } },
-	[PPME_SOCKET_LISTEN_X] = {"listen", EC_NET | EC_SYSCALL, EF_USES_FD, 1, {{"res", PT_ERRNO, PF_DEC} } },
+	[PPME_SOCKET_LISTEN_E] = {"listen", EC_NET | EC_SYSCALL, EF_USES_FD | EF_OLD_VERSION, 2, {{"fd", PT_FD, PF_DEC}, {"backlog", PT_UINT32, PF_DEC} } },
+	[PPME_SOCKET_LISTEN_X] = {"listen", EC_NET | EC_SYSCALL, EF_USES_FD | EF_OLD_VERSION, 1, {{"res", PT_ERRNO, PF_DEC} } },
+	[PPME_SOCKET_LISTEN_1_E] = {"listen", EC_NET | EC_SYSCALL, EF_USES_FD, 2, {{"fd", PT_FD, PF_DEC}, {"backlog", PT_INT32, PF_DEC} } },
+	[PPME_SOCKET_LISTEN_1_X] = {"listen", EC_NET | EC_SYSCALL, EF_USES_FD, 1, {{"res", PT_ERRNO, PF_DEC} } },
 	[PPME_SOCKET_ACCEPT_E] = {"accept", EC_NET | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE | EF_OLD_VERSION, 0},
 	[PPME_SOCKET_ACCEPT_X] = {"accept", EC_NET | EC_SYSCALL, EF_CREATES_FD | EF_MODIFIES_STATE | EF_OLD_VERSION, 3, {{"fd", PT_FD, PF_DEC}, {"tuple", PT_SOCKTUPLE, PF_NA}, {"queuepct", PT_UINT8, PF_DEC} } },
 	[PPME_SOCKET_SEND_E] = {"send", EC_IO_WRITE | EC_SYSCALL, EF_USES_FD | EF_WRITES_TO_FD, 2, {{"fd", PT_FD, PF_DEC}, {"size", PT_UINT32, PF_DEC} } },

diff --git a/driver/fillers_table.c b/driver/fillers_table.c
@@ -39,8 +39,8 @@ const struct ppm_event_entry g_ppm_events[PPM_EVENT_MAX] = {
 	[PPME_SOCKET_BIND_X] = {FILLER_REF(sys_socket_bind_x)},
 	[PPME_SOCKET_CONNECT_E] = {FILLER_REF(sys_connect_e)},
 	[PPME_SOCKET_CONNECT_X] = {FILLER_REF(sys_connect_x)},
-	[PPME_SOCKET_LISTEN_E] = {FILLER_REF(sys_autofill), 2, APT_SOCK, {{0}, {1} } },
-	[PPME_SOCKET_LISTEN_X] = {FILLER_REF(sys_single_x)},
+	[PPME_SOCKET_LISTEN_1_E] = {FILLER_REF(sys_autofill), 2, APT_SOCK, {{0}, {1} } },
+	[PPME_SOCKET_LISTEN_1_X] = {FILLER_REF(sys_single_x)},
 	[PPME_SOCKET_SEND_E] = {FILLER_REF(sys_send_e)},
 	[PPME_SOCKET_SEND_X] = {FILLER_REF(sys_send_x)},
 	[PPME_SOCKET_SENDTO_E] = {FILLER_REF(sys_sendto_e)},

diff --git a/driver/modern_bpf/definitions/events_dimensions.h b/driver/modern_bpf/definitions/events_dimensions.h
@@ -92,7 +92,7 @@
 #define ACCEPT_E_SIZE HEADER_LEN
 #define ACCEPT4_E_SIZE HEADER_LEN + sizeof(uint32_t) + PARAM_LEN
 #define BIND_E_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
-#define LISTEN_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(uint32_t) + PARAM_LEN * 2
+#define LISTEN_E_SIZE HEADER_LEN + sizeof(int64_t) + sizeof(int32_t) + PARAM_LEN * 2
 #define LISTEN_X_SIZE HEADER_LEN + sizeof(int64_t) + PARAM_LEN
 #define CLONE_E_SIZE HEADER_LEN
 #define CLONE3_E_SIZE HEADER_LEN

diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/listen.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/listen.bpf.c
@@ -15,7 +15,7 @@ int BPF_PROG(listen_e,
 	     long id)
 {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, LISTEN_E_SIZE, PPME_SOCKET_LISTEN_E))
+	if(!ringbuf__reserve_space(&ringbuf, ctx, LISTEN_E_SIZE, PPME_SOCKET_LISTEN_1_E))
 	{
 		return 0;
 	}
@@ -32,10 +32,9 @@ int BPF_PROG(listen_e,
 	s32 fd = (s32)args[0];
 	ringbuf__store_s64(&ringbuf, (s64)fd);
 
-	/* Parameter 2: backlog (type: PT_UINT32) */
-	/// TODO: This should be an `int` not a `uint32_t`
-	u32 backlog = (u32)args[1];
-	ringbuf__store_u32(&ringbuf, backlog);
+	/* Parameter 2: backlog (type: PT_INT32) */
+	s32 backlog = (s32)args[1];
+	ringbuf__store_s32(&ringbuf, backlog);
 
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
@@ -54,7 +53,7 @@ int BPF_PROG(listen_x,
 	     long ret)
 {
 	struct ringbuf_struct ringbuf;
-	if(!ringbuf__reserve_space(&ringbuf, ctx, LISTEN_X_SIZE, PPME_SOCKET_LISTEN_X))
+	if(!ringbuf__reserve_space(&ringbuf, ctx, LISTEN_X_SIZE, PPME_SOCKET_LISTEN_1_X))
 	{
 		return 0;
 	}

diff --git a/driver/ppm_events_public.h b/driver/ppm_events_public.h
@@ -1383,7 +1383,9 @@ typedef enum {
 	PPME_SYSCALL_PIDFD_GETFD_X = 407,
 	PPME_SYSCALL_PIDFD_OPEN_E = 408,
 	PPME_SYSCALL_PIDFD_OPEN_X = 409,
-	PPM_EVENT_MAX = 410
+	PPME_SOCKET_LISTEN_1_E = 410,
+	PPME_SOCKET_LISTEN_1_X = 411,
+	PPM_EVENT_MAX = 412
 } ppm_event_code;
 /*@}*/
 

diff --git a/driver/socketcall_to_syscall.c b/driver/socketcall_to_syscall.c
@@ -191,7 +191,7 @@ int socketcall_code_to_syscall_code(int socketcall_code, bool* is_syscall_return
 		return PPME_SOCKET_BIND_E;
 
 	case SYS_LISTEN:
-		return PPME_SOCKET_LISTEN_E;
+		return PPME_SOCKET_LISTEN_1_E;
 
 	case SYS_CONNECT:
 		return PPME_SOCKET_CONNECT_E;

diff --git a/driver/syscall_table.c b/driver/syscall_table.c
@@ -154,7 +154,7 @@ const struct syscall_evt_pair g_syscall_table[SYSCALL_TABLE_SIZE] = {
 	[__NR_connect - SYSCALL_TABLE_ID0] =                    {UF_USED, PPME_SOCKET_CONNECT_E, PPME_SOCKET_CONNECT_X, PPM_SC_CONNECT},
 #endif
 #ifdef __NR_listen
-	[__NR_listen - SYSCALL_TABLE_ID0] =                     {UF_USED, PPME_SOCKET_LISTEN_E, PPME_SOCKET_LISTEN_X, PPM_SC_LISTEN},
+	[__NR_listen - SYSCALL_TABLE_ID0] =                     {UF_USED, PPME_SOCKET_LISTEN_1_E, PPME_SOCKET_LISTEN_1_X, PPM_SC_LISTEN},
 #endif
 #ifdef __NR_accept
 	[__NR_accept - SYSCALL_TABLE_ID0] =                     {UF_USED, PPME_SOCKET_ACCEPT_5_E, PPME_SOCKET_ACCEPT_5_X, PPM_SC_ACCEPT},

diff --git a/test/drivers/test_suites/syscall_enter_suite/socketcall_e.cpp b/test/drivers/test_suites/syscall_enter_suite/socketcall_e.cpp
@@ -484,8 +484,8 @@ TEST(SyscallEnter, socketcall_listenE)
 	/* Parameter 1: fd (type: PT_FD) */
 	evt_test->assert_numeric_param(1, (int64_t)socket_fd);
 
-	/* Parameter 2: backlog (type: PT_UINT32) */
-	evt_test->assert_numeric_param(2, (uint32_t)backlog);
+	/* Parameter 2: backlog (type: PT_INT32) */
+	evt_test->assert_numeric_param(2, (int32_t)backlog);
 
 	/*=============================== ASSERT PARAMETERS  ===========================*/
 

diff --git a/test/libscap/helpers/engines.cpp b/test/libscap/helpers/engines.cpp
@@ -96,7 +96,7 @@ void check_event_is_not_overwritten(scap_t *h)
 
 void check_event_order(scap_t *h)
 {
-	uint32_t events_to_assert[EVENTS_TO_ASSERT] = {PPME_SYSCALL_CLOSE_E, PPME_SYSCALL_CLOSE_X, PPME_SYSCALL_OPENAT_2_E, PPME_SYSCALL_OPENAT_2_X, PPME_SOCKET_LISTEN_E, PPME_SOCKET_LISTEN_X, PPME_SOCKET_ACCEPT4_6_E, PPME_SOCKET_ACCEPT4_6_X, PPME_SYSCALL_GETEGID_E, PPME_SYSCALL_GETEGID_X, PPME_SYSCALL_GETGID_E, PPME_SYSCALL_GETGID_X, PPME_SYSCALL_GETEUID_E, PPME_SYSCALL_GETEUID_X, PPME_SYSCALL_GETUID_E, PPME_SYSCALL_GETUID_X, PPME_SOCKET_BIND_E, PPME_SOCKET_BIND_X, PPME_SOCKET_CONNECT_E, PPME_SOCKET_CONNECT_X, PPME_SOCKET_SENDTO_E, PPME_SOCKET_SENDTO_X, PPME_SOCKET_GETSOCKOPT_E, PPME_SOCKET_GETSOCKOPT_X, PPME_SOCKET_RECVMSG_E, PPME_SOCKET_RECVMSG_X, PPME_SOCKET_RECVFROM_E, PPME_SOCKET_RECVFROM_X, PPME_SOCKET_SOCKET_E, PPME_SOCKET_SOCKET_X, PPME_SOCKET_SOCKETPAIR_E, PPME_SOCKET_SOCKETPAIR_X};
+	uint32_t events_to_assert[EVENTS_TO_ASSERT] = {PPME_SYSCALL_CLOSE_E, PPME_SYSCALL_CLOSE_X, PPME_SYSCALL_OPENAT_2_E, PPME_SYSCALL_OPENAT_2_X, PPME_SOCKET_LISTEN_1_E, PPME_SOCKET_LISTEN_1_X, PPME_SOCKET_ACCEPT4_6_E, PPME_SOCKET_ACCEPT4_6_X, PPME_SYSCALL_GETEGID_E, PPME_SYSCALL_GETEGID_X, PPME_SYSCALL_GETGID_E, PPME_SYSCALL_GETGID_X, PPME_SYSCALL_GETEUID_E, PPME_SYSCALL_GETEUID_X, PPME_SYSCALL_GETUID_E, PPME_SYSCALL_GETUID_X, PPME_SOCKET_BIND_E, PPME_SOCKET_BIND_X, PPME_SOCKET_CONNECT_E, PPME_SOCKET_CONNECT_X, PPME_SOCKET_SENDTO_E, PPME_SOCKET_SENDTO_X, PPME_SOCKET_GETSOCKOPT_E, PPME_SOCKET_GETSOCKOPT_X, PPME_SOCKET_RECVMSG_E, PPME_SOCKET_RECVMSG_X, PPME_SOCKET_RECVFROM_E, PPME_SOCKET_RECVFROM_X, PPME_SOCKET_SOCKET_E, PPME_SOCKET_SOCKET_X, PPME_SOCKET_SOCKETPAIR_E, PPME_SOCKET_SOCKETPAIR_X};
 
 	/* Start the capture */
 	ASSERT_EQ(scap_start_capture(h), SCAP_SUCCESS) << "unable to start the capture: " << scap_getlasterr(h) << std::endl;

diff --git a/userspace/libpman/src/events_prog_names.h b/userspace/libpman/src/events_prog_names.h
@@ -110,8 +110,8 @@ static const char* event_prog_names[PPM_EVENT_MAX] = {
 	[PPME_SOCKET_ACCEPT_5_X] = "accept_x",
 	[PPME_SOCKET_BIND_E] = "bind_e",
 	[PPME_SOCKET_BIND_X] = "bind_x",
-	[PPME_SOCKET_LISTEN_E] = "listen_e",
-	[PPME_SOCKET_LISTEN_X] = "listen_x",
+	[PPME_SOCKET_LISTEN_1_E] = "listen_e",
+	[PPME_SOCKET_LISTEN_1_X] = "listen_x",
 	[PPME_SYSCALL_EXECVE_19_E] = "execve_e",
 	[PPME_SYSCALL_EXECVE_19_X] = "execve_x",
 	[PPME_SYSCALL_EXECVEAT_E] = "execveat_e",

diff --git a/userspace/libscap/linux/scap_ppm_sc.c b/userspace/libscap/linux/scap_ppm_sc.c
@@ -57,6 +57,8 @@ static const ppm_sc_code *g_events_to_sc_map[] = {
 	[PPME_SOCKET_CONNECT_X] = (ppm_sc_code[]){PPM_SC_CONNECT, -1},
 	[PPME_SOCKET_LISTEN_E] = (ppm_sc_code[]){PPM_SC_LISTEN, -1},
 	[PPME_SOCKET_LISTEN_X] = (ppm_sc_code[]){PPM_SC_LISTEN, -1},
+	[PPME_SOCKET_LISTEN_1_E] = (ppm_sc_code[]){PPM_SC_LISTEN, -1},
+	[PPME_SOCKET_LISTEN_1_X] = (ppm_sc_code[]){PPM_SC_LISTEN, -1},
 	[PPME_SOCKET_ACCEPT_E] = (ppm_sc_code[]){PPM_SC_ACCEPT, -1},
 	[PPME_SOCKET_ACCEPT_X] = (ppm_sc_code[]){PPM_SC_ACCEPT, -1},
 	[PPME_SOCKET_SEND_E] = (ppm_sc_code[]){PPM_SC_SEND, -1},

diff --git a/userspace/libscap/test/test_suites/engines/modern_bpf/modern_bpf.cpp b/userspace/libscap/test/test_suites/engines/modern_bpf/modern_bpf.cpp
@@ -244,7 +244,7 @@ TEST(modern_bpf, one_buffer_shared_between_all_online_CPUs_with_explicit_CPUs_nu
 
 void check_event_order(scap_t* h)
 {
-	uint32_t events_to_assert[EVENTS_TO_ASSERT] = {PPME_SYSCALL_CLOSE_E, PPME_SYSCALL_CLOSE_X, PPME_SYSCALL_OPENAT_2_E, PPME_SYSCALL_OPENAT_2_X, PPME_SOCKET_LISTEN_E, PPME_SOCKET_LISTEN_X, PPME_SOCKET_ACCEPT4_6_E, PPME_SOCKET_ACCEPT4_6_X, PPME_SYSCALL_GETEGID_E, PPME_SYSCALL_GETEGID_X, PPME_SYSCALL_GETGID_E, PPME_SYSCALL_GETGID_X, PPME_SYSCALL_GETEUID_E, PPME_SYSCALL_GETEUID_X, PPME_SYSCALL_GETUID_E, PPME_SYSCALL_GETUID_X, PPME_SOCKET_BIND_E, PPME_SOCKET_BIND_X, PPME_SOCKET_CONNECT_E, PPME_SOCKET_CONNECT_X, PPME_SOCKET_SENDTO_E, PPME_SOCKET_SENDTO_X, PPME_SOCKET_SENDMSG_E, PPME_SOCKET_SENDMSG_X, PPME_SOCKET_RECVMSG_E, PPME_SOCKET_RECVMSG_X, PPME_SOCKET_RECVFROM_E, PPME_SOCKET_RECVFROM_X, PPME_SOCKET_SOCKET_E, PPME_SOCKET_SOCKET_X, PPME_SOCKET_SOCKETPAIR_E, PPME_SOCKET_SOCKETPAIR_X};
+	uint32_t events_to_assert[EVENTS_TO_ASSERT] = {PPME_SYSCALL_CLOSE_E, PPME_SYSCALL_CLOSE_X, PPME_SYSCALL_OPENAT_2_E, PPME_SYSCALL_OPENAT_2_X, PPME_SOCKET_LISTEN_1_E, PPME_SOCKET_LISTEN_1_X, PPME_SOCKET_ACCEPT4_6_E, PPME_SOCKET_ACCEPT4_6_X, PPME_SYSCALL_GETEGID_E, PPME_SYSCALL_GETEGID_X, PPME_SYSCALL_GETGID_E, PPME_SYSCALL_GETGID_X, PPME_SYSCALL_GETEUID_E, PPME_SYSCALL_GETEUID_X, PPME_SYSCALL_GETUID_E, PPME_SYSCALL_GETUID_X, PPME_SOCKET_BIND_E, PPME_SOCKET_BIND_X, PPME_SOCKET_CONNECT_E, PPME_SOCKET_CONNECT_X, PPME_SOCKET_SENDTO_E, PPME_SOCKET_SENDTO_X, PPME_SOCKET_SENDMSG_E, PPME_SOCKET_SENDMSG_X, PPME_SOCKET_RECVMSG_E, PPME_SOCKET_RECVMSG_X, PPME_SOCKET_RECVFROM_E, PPME_SOCKET_RECVFROM_X, PPME_SOCKET_SOCKET_E, PPME_SOCKET_SOCKET_X, PPME_SOCKET_SOCKETPAIR_E, PPME_SOCKET_SOCKETPAIR_X};
 
 	/* Start the capture */
 	ASSERT_EQ(scap_start_capture(h), SCAP_SUCCESS) << "unable to start the capture: " << scap_getlasterr(h) << std::endl;

diff --git a/userspace/libsinsp/test/events_net.ut.cpp b/userspace/libsinsp/test/events_net.ut.cpp
@@ -305,8 +305,8 @@ TEST_F(sinsp_with_test_input, net_bind_listen_accept_ipv4)
 	ASSERT_FALSE(field_exists(evt, "fd.rport"));
 	ASSERT_FALSE(field_exists(evt, "fd.lport"));
 
-	add_event_advance_ts(increasing_ts(), 1, PPME_SOCKET_LISTEN_E, 2, server_fd, 5);
-	add_event_advance_ts(increasing_ts(), 1, PPME_SOCKET_LISTEN_X, 1, return_value);
+	add_event_advance_ts(increasing_ts(), 1, PPME_SOCKET_LISTEN_1_E, 2, server_fd, 5);
+	add_event_advance_ts(increasing_ts(), 1, PPME_SOCKET_LISTEN_1_X, 1, return_value);
 
 	sockaddr_in client = test_utils::fill_sockaddr_in(DEFAULT_CLIENT_PORT, DEFAULT_IPV4_CLIENT_STRING);
 
@@ -348,8 +348,8 @@ TEST_F(sinsp_with_test_input, net_bind_listen_accept_ipv6)
 	ASSERT_EQ(get_field_as_string(evt, "fd.name"), fdname);
 	ASSERT_EQ(get_field_as_string(evt, "fd.is_server"), "true");
 
-	add_event_advance_ts(increasing_ts(), 1, PPME_SOCKET_LISTEN_E, 2, server_fd, 5);
-	add_event_advance_ts(increasing_ts(), 1, PPME_SOCKET_LISTEN_X, 1, return_value);
+	add_event_advance_ts(increasing_ts(), 1, PPME_SOCKET_LISTEN_1_E, 2, server_fd, 5);
+	add_event_advance_ts(increasing_ts(), 1, PPME_SOCKET_LISTEN_1_X, 1, return_value);
 
 	sockaddr_in6 client = test_utils::fill_sockaddr_in6(DEFAULT_CLIENT_PORT, DEFAULT_IPV6_CLIENT_STRING);