1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
|
/*
Copyright (C) 2021 The Falco Authors.
This file is dual licensed under either the MIT or GPL 2. See MIT.txt
or GPL2.txt for full copies of the license.
*/
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
#ifndef UDIG
#include <linux/compat.h>
#include <linux/kobject.h>
#include <linux/cdev.h>
#include <net/sock.h>
#include <net/af_unix.h>
#include <net/compat.h>
#include <linux/ip.h>
#include <linux/tcp.h>
#include <linux/udp.h>
#include <linux/file.h>
#include <linux/fs_struct.h>
#include <linux/uaccess.h>
#include <linux/version.h>
#include <linux/module.h>
#include <linux/kernel.h>
#include <asm/mman.h>
#include <linux/in.h>
#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 20)
#include <linux/mount.h>
#include "ppm_syscall.h"
#else
#include <asm/syscall.h>
#endif
#else // UDIG
#define _GNU_SOURCE
#ifndef WDIG
#include <inttypes.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdbool.h>
#include <stdarg.h>
#include <limits.h>
#include <unistd.h>
#include <sys/mman.h>
#include <signal.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <sys/syscall.h>
#include <time.h>
#include <netinet/in.h>
#include <sys/param.h>
#include <sched.h>
#include <sys/mman.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <poll.h>
#include <sys/sem.h>
#include <sys/file.h>
#include <sys/quota.h>
#include <sys/ptrace.h>
#include <sys/socket.h>
#include <sys/un.h>
#include <errno.h>
#else /* WDIG */
#include "stdint.h"
#include <winsock2.h>
#include <ws2tcpip.h>
#include <afunix.h>
#include "portal.h"
#pragma warning(disable : 4996)
#endif /* WDIG */
#include "udig_capture.h"
#include "ppm_ringbuffer.h"
#include "ppm_events_public.h"
#include "ppm_events.h"
#include "ppm.h"
#include "udig_inf.h"
#endif /* UDIG */
#include "ppm_ringbuffer.h"
#include "ppm_events_public.h"
#include "ppm_events.h"
#include "ppm.h"
#include "ppm_flag_helpers.h"
#include "ppm_version.h"
/*
* The kernel patched with grsecurity makes the default access_ok trigger a
* might_sleep(), so if present we use the one defined by them
*/
#ifndef UDIG
#ifdef access_ok_noprefault
#define ppm_access_ok access_ok_noprefault
#else
#if (LINUX_VERSION_CODE >= KERNEL_VERSION(5, 0, 0)) || (PPM_RHEL_RELEASE_CODE > 0 && PPM_RHEL_RELEASE_CODE >= PPM_RHEL_RELEASE_VERSION(8, 1))
#define ppm_access_ok(type, addr, size) access_ok(addr, size)
#else
#define ppm_access_ok(type, addr, size) access_ok(type, addr, size)
#endif
#endif
extern bool g_tracers_enabled;
static void memory_dump(char *p, size_t size)
{
unsigned int j;
for (j = 0; j < size; j += 8)
pr_info("%*ph\n", 8, &p[j]);
}
#endif // UDIG
static inline bool in_port_range(uint16_t port, uint16_t min, uint16_t max)
{
return port >= min && port <= max;
}
/*
* Globals
*/
u32 g_http_options_intval;
u32 g_http_get_intval;
u32 g_http_head_intval;
u32 g_http_post_intval;
u32 g_http_put_intval;
u32 g_http_delete_intval;
u32 g_http_trace_intval;
u32 g_http_connect_intval;
u32 g_http_resp_intval;
#ifndef UDIG
/*
* What this function does is basically a special memcpy
* so that, if the page fault handler detects the address is invalid,
* won't kill the process but will return a positive number
* Plus, this doesn't sleep.
* The risk is that if the buffer is partially paged out, we get an error.
* Returns the number of bytes NOT read.
*/
unsigned long ppm_copy_from_user(void *to, const void __user *from, unsigned long n)
{
unsigned long res = n;
pagefault_disable();
if (likely(ppm_access_ok(VERIFY_READ, from, n)))
res = __copy_from_user_inatomic(to, from, n);
pagefault_enable();
return res;
}
/*
* On some kernels (e.g. 2.6.39), even with preemption disabled, the strncpy_from_user,
* instead of returning -1 after a page fault, schedules the process, so we drop events
* because of the preemption. This function reads the user buffer in atomic chunks, and
* returns when there's an error or the terminator is found
*/
long ppm_strncpy_from_user(char *to, const char __user *from, unsigned long n)
{
long string_length = 0;
long res = -1;
unsigned long bytes_to_read = 4;
int j;
pagefault_disable();
while (n) {
/*
* Read bytes_to_read bytes at a time, and look for the terminator. Should be fast
* since the copy_from_user is optimized for the processor
*/
if (n < bytes_to_read)
bytes_to_read = n;
if (!ppm_access_ok(VERIFY_READ, from, bytes_to_read)) {
res = -1;
goto strncpy_end;
}
if (__copy_from_user_inatomic(to, from, bytes_to_read)) {
/*
* Page fault
*/
res = -1;
goto strncpy_end;
}
n -= bytes_to_read;
from += bytes_to_read;
for (j = 0; j < bytes_to_read; ++j) {
++string_length;
if (!*to) {
res = string_length;
goto strncpy_end;
}
++to;
}
}
strncpy_end:
pagefault_enable();
return res;
}
#endif
int32_t dpi_lookahead_init(void)
{
g_http_options_intval = (*(u32 *)HTTP_OPTIONS_STR);
g_http_get_intval = (*(u32 *)HTTP_GET_STR);
g_http_head_intval = (*(u32 *)HTTP_HEAD_STR);
g_http_post_intval = (*(u32 *)HTTP_POST_STR);
g_http_put_intval = (*(u32 *)HTTP_PUT_STR);
g_http_delete_intval = (*(u32 *)HTTP_DELETE_STR);
g_http_trace_intval = (*(u32 *)HTTP_TRACE_STR);
g_http_connect_intval = (*(u32 *)HTTP_CONNECT_STR);
g_http_resp_intval = (*(u32 *)HTTP_RESP_STR);
return PPM_SUCCESS;
}
#ifndef UDIG
inline int sock_getname(struct socket* sock, struct sockaddr* sock_address, int peer)
{
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 17, 0)
int ret = sock->ops->getname(sock, sock_address, peer);
if (ret >= 0)
ret = 0;
return ret;
#else
int sockaddr_len;
return sock->ops->getname(sock, sock_address, &sockaddr_len, peer);
#endif
}
/**
* Compute the snaplen for the arguments.
*
* The snaplen is the amount of argument data returned along with the event.
* Normally, the driver performs a dynamic calculation to figure out snaplen
* per-event. However, if this calculation is disabled
* (i.e. args->consumer->do_dynamic_snaplen == false), the snaplen will always
* be args->consumer->snaplen.
*
* If dynamic snaplen is enabled, here's how the calculation works:
*
* 1. If the event is a write to /dev/null, it gets a special snaplen because
* writes to /dev/null is a backdoor method for inserting special events
* into the event stream.
* 2. If the event is NOT a socket operation, return args->consumer->snaplen.
* 3. If the sending port OR destination port falls within the fullcapture port
* range specified by the user, return 16000.
* 4. Protocol detection. A number of applications are detected heuristically
* and given a longer snaplen (2000). These applications are MYSQL, Postgres,
* HTTP, mongodb, and statsd.
* 5. If none of the above apply, return args->consumer->snaplen.
*/
inline u32 compute_snaplen(struct event_filler_arguments *args, char *buf, u32 lookahead_size)
{
u32 res = args->consumer->snaplen;
int err;
struct socket *sock;
sa_family_t family;
struct sockaddr_storage sock_address;
struct sockaddr_storage peer_address;
u16 sport, dport;
u16 min_port = 0, max_port = 0;
u32 dynamic_snaplen = 2000;
if (args->consumer->snaplen > dynamic_snaplen) {
/*
* If the user requested a default snaplen greater than the custom
* snaplen given to certain applications, just use the greater value.
*/
dynamic_snaplen = args->consumer->snaplen;
}
/* Increase snaplen on writes to /dev/null */
if (g_tracers_enabled && args->event_type == PPME_SYSCALL_WRITE_X) {
#if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 14, 0)
struct fd f = fdget(args->fd);
if (f.file && f.file->f_inode) {
if (f.file->f_inode->i_rdev == PPM_NULL_RDEV) {
res = RW_SNAPLEN_EVENT;
fdput(f);
return res;
}
fdput(f);
}
#else
struct file* file = fget(args->fd);
/* Use cached f_inode only on kernel versions that have it
* https://github.com/torvalds/linux/commit/dd37978c50bc8b354e5c4633f69387f16572fdac
*/
#if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 9, 0)
if (file && file->f_inode) {
if (file->f_inode->i_rdev == PPM_NULL_RDEV) {
// Use f_dentry for older kernel versions
#elif LINUX_VERSION_CODE <= KERNEL_VERSION(2,6,20)
if (file && file->f_dentry && file->f_dentry->d_inode) {
if (file->f_dentry->d_inode->i_rdev == PPM_NULL_RDEV) {
#else
if (file && file->f_path.dentry && file->f_path.dentry->d_inode) {
if (file->f_path.dentry->d_inode->i_rdev == PPM_NULL_RDEV) {
#endif
res = RW_SNAPLEN_EVENT;
fput(file);
return res;
}
fput(file);
}
#endif
}
if (!args->consumer->do_dynamic_snaplen)
return res;
sock = sockfd_lookup(args->fd, &err);
if (!sock) {
return res;
}
if (!sock->sk) {
goto done;
}
err = sock_getname(sock, (struct sockaddr *)&sock_address, 0);
if (err != 0) {
goto done;
}
/* Try to get the source and destination port */
if (args->event_type == PPME_SOCKET_SENDTO_X) {
unsigned long syscall_args[6] = {};
unsigned long val;
struct sockaddr __user * usrsockaddr;
/*
* Get the address
*/
if (!args->is_socketcall) {
ppm_syscall_get_arguments(current, args->regs, syscall_args);
val = syscall_args[4];
} else {
val = args->socketcall_args[4];
}
usrsockaddr = (struct sockaddr __user *)val;
if(usrsockaddr == NULL) {
/*
* Suppose is a connected socket, fall back to fd
*/
err = sock_getname(sock, (struct sockaddr *)&peer_address, 1);
} else {
/*
* Get the address len
*/
if (!args->is_socketcall) {
ppm_syscall_get_arguments(current, args->regs, syscall_args);
val = syscall_args[5];
} else {
val = args->socketcall_args[5];
}
if (val != 0) {
/*
* Copy the address
*/
err = addr_to_kernel(usrsockaddr, val, (struct sockaddr *)&peer_address);
} else {
/*
* This case should be very rare, fallback again to sock
*/
err = sock_getname(sock, (struct sockaddr *)&peer_address, 1);
}
}
} else if (args->event_type == PPME_SOCKET_SENDMSG_X) {
unsigned long syscall_args[6] = {};
unsigned long val;
struct sockaddr __user * usrsockaddr;
int addrlen;
#ifdef CONFIG_COMPAT
struct compat_msghdr compat_mh;
#endif
#if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 19, 0)
struct user_msghdr mh;
#else
struct msghdr mh;
#endif
if (!args->is_socketcall) {
ppm_syscall_get_arguments(current, args->regs, syscall_args);
val = syscall_args[1];
} else {
val = args->socketcall_args[1];
}
#ifdef CONFIG_COMPAT
if (!args->compat) {
#endif
if (unlikely(ppm_copy_from_user(&mh, (const void __user *)val, sizeof(mh)))) {
usrsockaddr = NULL;
addrlen = 0;
} else {
usrsockaddr = (struct sockaddr __user *)mh.msg_name;
addrlen = mh.msg_namelen;
}
#ifdef CONFIG_COMPAT
} else {
if (unlikely(ppm_copy_from_user(&compat_mh, (const void __user *)compat_ptr(val), sizeof(compat_mh)))) {
usrsockaddr = NULL;
addrlen = 0;
} else {
usrsockaddr = (struct sockaddr __user *)compat_ptr(compat_mh.msg_name);
addrlen = compat_mh.msg_namelen;
}
}
#endif
if (usrsockaddr != NULL && addrlen != 0) {
/*
* Copy the address
*/
err = addr_to_kernel(usrsockaddr, addrlen, (struct sockaddr *)&peer_address);
} else {
/*
* Suppose it is a connected socket, fall back to fd
*/
err = sock_getname(sock, (struct sockaddr *)&peer_address, 1);
}
} else {
err = sock_getname(sock, (struct sockaddr *)&peer_address, 1);
}
if (err != 0) {
goto done;
}
/*
* If there's a valid source / dest port, use it to run heuristics
* for determining snaplen.
*/
min_port = args->consumer->fullcapture_port_range_start;
max_port = args->consumer->fullcapture_port_range_end;
family = sock->sk->sk_family;
if (family == AF_INET) {
sport = ntohs(((struct sockaddr_in *) &sock_address)->sin_port);
dport = ntohs(((struct sockaddr_in *) &peer_address)->sin_port);
} else if (family == AF_INET6) {
sport = ntohs(((struct sockaddr_in6 *) &sock_address)->sin6_port);
dport = ntohs(((struct sockaddr_in6 *) &peer_address)->sin6_port);
} else {
sport = 0;
dport = 0;
}
if (max_port > 0 &&
(in_port_range(sport, min_port, max_port) ||
in_port_range(dport, min_port, max_port))) {
/*
* Before checking the well-known ports, see if the user has requested
* an increased snaplen for the port in question.
*/
sockfd_put(sock);
return RW_MAX_FULLCAPTURE_PORT_SNAPLEN;
} else if (sport == PPM_PORT_MYSQL || dport == PPM_PORT_MYSQL) {
if (lookahead_size >= 5) {
if (buf[0] == 3 || buf[1] == 3 || buf[2] == 3 || buf[3] == 3 || buf[4] == 3) {
res = dynamic_snaplen;
goto done;
} else if (buf[2] == 0 && buf[3] == 0) {
res = dynamic_snaplen;
goto done;
}
}
} else if (sport == PPM_PORT_POSTGRES || dport == PPM_PORT_POSTGRES) {
if (lookahead_size >= 2) {
if ((buf[0] == 'Q' && buf[1] == 0) || /* SimpleQuery command */
(buf[0] == 'P' && buf[1] == 0) || /* Prepare statement command */
(buf[0] == 'E' && buf[1] == 0) /* error or execute command */
) {
res = dynamic_snaplen;
goto done;
}
}
if (lookahead_size >= 7 &&
(buf[4] == 0 && buf[5] == 3 && buf[6] == 0)) { /* startup command */
res = dynamic_snaplen;
goto done;
}
} else if ((sport == PPM_PORT_MONGODB || dport == PPM_PORT_MONGODB) ||
(lookahead_size >= 16 &&
(*(int32_t *)(buf+12) == 1 || /* matches header */
*(int32_t *)(buf+12) == 2001 ||
*(int32_t *)(buf+12) == 2002 ||
*(int32_t *)(buf+12) == 2003 ||
*(int32_t *)(buf+12) == 2004 ||
*(int32_t *)(buf+12) == 2005 ||
*(int32_t *)(buf+12) == 2006 ||
*(int32_t *)(buf+12) == 2007)
)
) {
res = dynamic_snaplen;
goto done;
} else if (dport == args->consumer->statsd_port) {
res = dynamic_snaplen;
goto done;
} else {
if (lookahead_size >= 5) {
if (*(u32 *)buf == g_http_get_intval ||
*(u32 *)buf == g_http_post_intval ||
*(u32 *)buf == g_http_put_intval ||
*(u32 *)buf == g_http_delete_intval ||
*(u32 *)buf == g_http_trace_intval ||
*(u32 *)buf == g_http_connect_intval ||
*(u32 *)buf == g_http_options_intval ||
((*(u32 *)buf == g_http_resp_intval) && (buf[4] == '/'))
) {
res = dynamic_snaplen;
goto done;
}
}
}
done:
sockfd_put(sock);
return res;
}
#endif // UDIG
/*
* NOTES:
* - val_len is ignored for everything other than PT_BYTEBUF.
* - fromuser is ignored for numeric types
* - dyn_idx is ignored for everything other than PT_DYN
*/
int val_to_ring(struct event_filler_arguments *args, uint64_t val, u32 val_len, bool fromuser, u8 dyn_idx)
{
const struct ppm_param_info *param_info;
int len = -1;
u16 *psize = (u16 *)(args->buffer + args->curarg * sizeof(u16));
u32 max_arg_size = args->arg_data_size;
if (unlikely(args->curarg >= args->nargs)) {
#ifndef UDIG
pr_err("(%u)val_to_ring: too many arguments for event #%u, type=%u, curarg=%u, nargs=%u tid:%u\n",
smp_processor_id(),
args->nevents,
(u32)args->event_type,
args->curarg,
args->nargs,
current->pid);
memory_dump(args->buffer - sizeof(struct ppm_evt_hdr), 32);
#endif
ASSERT(0);
return PPM_FAILURE_BUG;
}
if (unlikely(args->arg_data_size == 0))
return PPM_FAILURE_BUFFER_FULL;
if (max_arg_size > PPM_MAX_ARG_SIZE)
max_arg_size = PPM_MAX_ARG_SIZE;
param_info = &(g_event_info[args->event_type].params[args->curarg]);
if (param_info->type == PT_DYN && param_info->info != NULL) {
const struct ppm_param_info *dyn_params;
if (unlikely(dyn_idx >= param_info->ninfo)) {
ASSERT(0);
return PPM_FAILURE_BUG;
}
#if defined(UDIG) && !defined(WDIG)
dyn_params = (const struct ppm_param_info *)patch_pointer((uint8_t*)param_info->info);
#else
dyn_params = (const struct ppm_param_info *)param_info->info;
#endif
param_info = &dyn_params[dyn_idx];
if (likely(max_arg_size >= sizeof(u8))) {
*(u8 *)(args->buffer + args->arg_data_offset) = dyn_idx;
len = sizeof(u8);
} else {
return PPM_FAILURE_BUFFER_FULL;
}
args->arg_data_offset += len;
args->arg_data_size -= len;
max_arg_size -= len;
*psize = (u16)len;
} else {
*psize = 0;
}
switch (param_info->type) {
case PT_CHARBUF:
case PT_FSPATH:
case PT_FSRELPATH:
if (likely(val != 0)) {
#ifdef WDIG // strlcpy does not exist on Windows, where in any case we only have
// userlevel capture, so we default to ppm_strncpy_from_user
fromuser = true;
#endif
if (fromuser) {
len = ppm_strncpy_from_user(args->buffer + args->arg_data_offset,
(const char __user *)(syscall_arg_t)val, max_arg_size);
if (unlikely(len < 0))
return PPM_FAILURE_INVALID_USER_MEMORY;
} else {
len = (int)strlcpy(args->buffer + args->arg_data_offset,
(const char *)(syscall_arg_t)val,
max_arg_size);
if (++len > (int)max_arg_size)
len = max_arg_size;
}
/*
* Make sure the string is null-terminated
*/
*(char *)(args->buffer + args->arg_data_offset + len) = 0;
} else {
/*
* Handle NULL pointers
*/
len = (int)strlcpy(args->buffer + args->arg_data_offset,
"(NULL)",
max_arg_size);
if (++len > (int)max_arg_size)
len = max_arg_size;
}
break;
case PT_BYTEBUF:
if (likely(val != 0)) {
if (fromuser) {
/*
* Copy the lookahead portion of the buffer that we will use DPI-based
* snaplen calculation
*/
u32 dpi_lookahead_size = DPI_LOOKAHEAD_SIZE;
if (dpi_lookahead_size > val_len)
dpi_lookahead_size = val_len;
if (unlikely(dpi_lookahead_size >= max_arg_size))
return PPM_FAILURE_BUFFER_FULL;
len = (int)ppm_copy_from_user(args->buffer + args->arg_data_offset,
(const void __user *)(syscall_arg_t)val,
dpi_lookahead_size);
if (unlikely(len != 0))
return PPM_FAILURE_INVALID_USER_MEMORY;
/*
* Check if there's more to copy
*/
if (likely((dpi_lookahead_size != val_len))) {
/*
* Calculate the snaplen
*/
if (likely(args->enforce_snaplen)) {
u32 sl = args->consumer->snaplen;
#ifndef UDIG
sl = compute_snaplen(args, args->buffer + args->arg_data_offset, dpi_lookahead_size);
#endif
if (val_len > sl)
val_len = sl;
}
if (unlikely((val_len) >= max_arg_size))
val_len = max_arg_size;
if (val_len > dpi_lookahead_size) {
len = (int)ppm_copy_from_user(args->buffer + args->arg_data_offset + dpi_lookahead_size,
(const uint8_t __user *)(syscall_arg_t)val + dpi_lookahead_size,
val_len - dpi_lookahead_size);
if (unlikely(len != 0))
return PPM_FAILURE_INVALID_USER_MEMORY;
}
}
len = val_len;
} else {
if (likely(args->enforce_snaplen)) {
#ifdef UDIG
u32 sl = args->consumer->snaplen;
#else
u32 sl = compute_snaplen(args, (char *)(syscall_arg_t)val, val_len);
#endif
if (val_len > sl)
val_len = sl;
}
if (unlikely(val_len >= max_arg_size))
return PPM_FAILURE_BUFFER_FULL;
memcpy(args->buffer + args->arg_data_offset,
(void *)(syscall_arg_t)val, val_len);
len = val_len;
}
} else {
/*
* Handle NULL pointers
*/
len = 0;
}
break;
case PT_SOCKADDR:
case PT_SOCKTUPLE:
case PT_FDLIST:
if (likely(val != 0)) {
if (unlikely(val_len >= max_arg_size))
return PPM_FAILURE_BUFFER_FULL;
if (fromuser) {
len = (int)ppm_copy_from_user(args->buffer + args->arg_data_offset,
(const void __user *)(syscall_arg_t)val,
val_len);
if (unlikely(len != 0))
return PPM_FAILURE_INVALID_USER_MEMORY;
len = val_len;
} else {
memcpy(args->buffer + args->arg_data_offset,
(void *)(syscall_arg_t)val, val_len);
len = val_len;
}
} else {
/*
* Handle NULL pointers
*/
len = 0;
}
break;
case PT_FLAGS8:
case PT_UINT8:
case PT_SIGTYPE:
if (likely(max_arg_size >= sizeof(u8))) {
*(u8 *)(args->buffer + args->arg_data_offset) = (u8)val;
len = sizeof(u8);
} else {
return PPM_FAILURE_BUFFER_FULL;
}
break;
case PT_FLAGS16:
case PT_UINT16:
case PT_SYSCALLID:
if (likely(max_arg_size >= sizeof(u16))) {
*(u16 *)(args->buffer + args->arg_data_offset) = (u16)val;
len = sizeof(u16);
} else {
return PPM_FAILURE_BUFFER_FULL;
}
break;
case PT_FLAGS32:
case PT_UINT32:
case PT_MODE:
case PT_UID:
case PT_GID:
case PT_SIGSET:
if (likely(max_arg_size >= sizeof(u32))) {
*(u32 *)(args->buffer + args->arg_data_offset) = (u32)val;
len = sizeof(u32);
} else {
return PPM_FAILURE_BUFFER_FULL;
}
break;
case PT_RELTIME:
case PT_ABSTIME:
case PT_UINT64:
if (likely(max_arg_size >= sizeof(u64))) {
*(u64 *)(args->buffer + args->arg_data_offset) = (u64)val;
len = sizeof(u64);
} else {
return PPM_FAILURE_BUFFER_FULL;
}
break;
case PT_INT8:
if (likely(max_arg_size >= sizeof(s8))) {
*(s8 *)(args->buffer + args->arg_data_offset) = (s8)(long)val;
len = sizeof(s8);
} else {
return PPM_FAILURE_BUFFER_FULL;
}
break;
case PT_INT16:
if (likely(max_arg_size >= sizeof(s16))) {
*(s16 *)(args->buffer + args->arg_data_offset) = (s16)(long)val;
len = sizeof(s16);
} else {
return PPM_FAILURE_BUFFER_FULL;
}
break;
case PT_INT32:
if (likely(max_arg_size >= sizeof(s32))) {
*(s32 *)(args->buffer + args->arg_data_offset) = (s32)(long)val;
len = sizeof(s32);
} else {
return PPM_FAILURE_BUFFER_FULL;
}
break;
case PT_INT64:
case PT_ERRNO:
case PT_FD:
case PT_PID:
if (likely(max_arg_size >= sizeof(s64))) {
*(s64 *)(args->buffer + args->arg_data_offset) = (s64)(long)val;
len = sizeof(s64);
} else {
return PPM_FAILURE_BUFFER_FULL;
}
break;
default:
ASSERT(0);
#ifndef UDIG
pr_err("val_to_ring: invalid argument type %d. Event %u (%s) might have less parameters than what has been declared in nparams\n",
(int)g_event_info[args->event_type].params[args->curarg].type,
(u32)args->event_type,
g_event_info[args->event_type].name);
#endif
return PPM_FAILURE_BUG;
}
ASSERT(len <= PPM_MAX_ARG_SIZE);
ASSERT(len <= (int)max_arg_size);
*psize += (u16)len;
args->curarg++;
args->arg_data_offset += len;
args->arg_data_size -= len;
return PPM_SUCCESS;
}
/*
static struct socket *ppm_sockfd_lookup_light(int fd, int *err, int *fput_needed)
{
struct file *file;
struct socket *sock;
*err = -EBADF;
file = fget_light(fd, fput_needed);
if (file) {
sock = sock_from_file(file, err);
if (sock)
return sock;
fput_light(file, *fput_needed);
}
return NULL;
}
*/
static void unix_socket_path(char *dest, const char *path, size_t size)
{
if (path[0] == '\0') {
/*
* Extract from: https://man7.org/linux/man-pages/man7/unix.7.html
* an abstract socket address is distinguished (from a
* pathname socket) by the fact that sun_path[0] is a null byte
* ('\0'). The socket's address in this namespace is given by
* the additional bytes in sun_path that are covered by the
* specified length of the address structure.
*/
snprintf(dest,
size,
"@%s",
path + 1);
} else {
snprintf(dest,
size,
"%s",
path); /* we assume this will be smaller than (targetbufsize - (1 + 8 + 8)) */
}
}
/*
* Convert a sockaddr into our address representation and copy it to
* targetbuf
*/
u16 pack_addr(struct sockaddr *usrsockaddr,
int ulen,
char *targetbuf,
u16 targetbufsize)
{
u32 ip;
u16 port;
#ifdef WDIG
ADDRESS_FAMILY family = usrsockaddr->sa_family;
#else
sa_family_t family = usrsockaddr->sa_family;
#endif
struct sockaddr_in *usrsockaddr_in;
struct sockaddr_in6 *usrsockaddr_in6;
struct sockaddr_un *usrsockaddr_un;
u16 size;
char *dest;
switch (family) {
case AF_INET:
/*
* Map the user-provided address to a sockaddr_in
*/
usrsockaddr_in = (struct sockaddr_in *)usrsockaddr;
/*
* Retrieve the src address
*/
ip = usrsockaddr_in->sin_addr.s_addr;
port = ntohs(usrsockaddr_in->sin_port);
/*
* Pack the tuple info in the temporary buffer
*/
size = 1 + 4 + 2; /* family + ip + port */
*targetbuf = socket_family_to_scap((u8)family);
*(u32 *)(targetbuf + 1) = ip;
*(u16 *)(targetbuf + 5) = port;
break;
case AF_INET6:
/*
* Map the user-provided address to a sockaddr_in
*/
usrsockaddr_in6 = (struct sockaddr_in6 *)usrsockaddr;
/*
* Retrieve the src address
*/
port = ntohs(usrsockaddr_in6->sin6_port);
/*
* Pack the tuple info in the temporary buffer
*/
size = 1 + 16 + 2; /* family + ip + port */
*targetbuf = socket_family_to_scap((u8)family);
memcpy(targetbuf + 1,
usrsockaddr_in6->sin6_addr.s6_addr,
16);
*(u16 *)(targetbuf + 17) = port;
break;
case AF_UNIX:
/*
* Map the user-provided address to a sockaddr_in
*/
usrsockaddr_un = (struct sockaddr_un *)usrsockaddr;
/*
* Put a 0 at the end of struct sockaddr_un because
* the user might not have considered it in the length
*/
if (ulen == sizeof(struct sockaddr_storage))
*(((char *)usrsockaddr_un) + ulen - 1) = 0;
else
*(((char *)usrsockaddr_un) + ulen) = 0;
/*
* Pack the data into the target buffer
*/
size = 1;
*targetbuf = socket_family_to_scap((u8)family);
dest = targetbuf + 1;
unix_socket_path(dest, usrsockaddr_un->sun_path, UNIX_PATH_MAX);
size += (u16)strlen(dest) + 1;
break;
default:
size = 0;
break;
}
return size;
}
/*
* Convert a connection tuple into our tuple representation and copy it to
* targetbuf
*/
u16 fd_to_socktuple(int fd,
struct sockaddr *usrsockaddr,
int ulen,
bool use_userdata,
bool is_inbound,
char *targetbuf,
u16 targetbufsize)
{
int err = 0;
#ifdef WDIG
ADDRESS_FAMILY family;
#else
sa_family_t family;
#endif
u32 sip;
u32 dip;
u8 *sip6;
u8 *dip6;
u16 sport;
u16 dport;
struct sockaddr_in *usrsockaddr_in;
struct sockaddr_in6 *usrsockaddr_in6;
u16 size;
struct sockaddr_storage sock_address;
struct sockaddr_storage peer_address;
#ifndef UDIG
struct socket *sock;
char *dest;
struct unix_sock *us;
char *us_name;
struct sock *speer;
struct sockaddr_un *usrsockaddr_un;
/*
* Get the socket from the fd
* NOTE: sockfd_lookup() locks the socket, so we don't need to worry when we dig in it
*/
sock = sockfd_lookup(fd, &err);
if (unlikely(!sock || !(sock->sk))) {
/*
* This usually happens if the call failed without being able to establish a connection,
* i.e. if it didn't return something like SE_EINPROGRESS.
*/
if (sock)
sockfd_put(sock);
return 0;
}
#endif
#ifdef UDIG
socklen_t alen = sizeof(struct sockaddr_storage);
err = udig_getsockname(fd, (struct sockaddr *)&sock_address, &alen);
if(err < 0)
{
return 0;
}
family = sock_address.ss_family;
#else
err = sock_getname(sock, (struct sockaddr *)&sock_address, 0);
ASSERT(err == 0);
family = sock->sk->sk_family;
#endif
/*
* Extract and pack the info, based on the family
*/
switch (family) {
case AF_INET:
if (!use_userdata) {
#ifdef UDIG
socklen_t palen = sizeof(struct sockaddr_storage);
err = udig_getpeername(fd, (struct sockaddr *)&peer_address, &palen);
#else
err = sock_getname(sock, (struct sockaddr *)&peer_address, 1);
#endif
if (err == 0) {
if (is_inbound) {
sip = ((struct sockaddr_in *) &peer_address)->sin_addr.s_addr;
sport = ntohs(((struct sockaddr_in *) &peer_address)->sin_port);
dip = ((struct sockaddr_in *) &sock_address)->sin_addr.s_addr;
dport = ntohs(((struct sockaddr_in *) &sock_address)->sin_port);
} else {
sip = ((struct sockaddr_in *) &sock_address)->sin_addr.s_addr;
sport = ntohs(((struct sockaddr_in *) &sock_address)->sin_port);
dip = ((struct sockaddr_in *) &peer_address)->sin_addr.s_addr;
dport = ntohs(((struct sockaddr_in *) &peer_address)->sin_port);
}
} else {
sip = 0;
sport = 0;
dip = 0;
dport = 0;
}
} else {
/*
* Map the user-provided address to a sockaddr_in
*/
usrsockaddr_in = (struct sockaddr_in *)usrsockaddr;
if (is_inbound) {
sip = usrsockaddr_in->sin_addr.s_addr;
sport = ntohs(usrsockaddr_in->sin_port);
dip = ((struct sockaddr_in *) &sock_address)->sin_addr.s_addr;
dport = ntohs(((struct sockaddr_in *) &sock_address)->sin_port);
} else {
sip = ((struct sockaddr_in *) &sock_address)->sin_addr.s_addr;
sport = ntohs(((struct sockaddr_in *) &sock_address)->sin_port);
dip = usrsockaddr_in->sin_addr.s_addr;
dport = ntohs(usrsockaddr_in->sin_port);
}
}
/*
* Pack the tuple info in the temporary buffer
*/
size = 1 + 4 + 4 + 2 + 2; /* family + sip + dip + sport + dport */
*targetbuf = socket_family_to_scap((u8)family);
*(u32 *)(targetbuf + 1) = sip;
*(u16 *)(targetbuf + 5) = sport;
*(u32 *)(targetbuf + 7) = dip;
*(u16 *)(targetbuf + 11) = dport;
break;
case AF_INET6:
if (!use_userdata) {
#ifdef UDIG
socklen_t palen = sizeof(struct sockaddr_storage);
err = udig_getpeername(fd, (struct sockaddr *)&peer_address, &palen);
#else
err = sock_getname(sock, (struct sockaddr *)&peer_address, 1);
#endif
ASSERT(err == 0);
if (is_inbound) {
sip6 = ((struct sockaddr_in6 *) &peer_address)->sin6_addr.s6_addr;
sport = ntohs(((struct sockaddr_in6 *) &peer_address)->sin6_port);
dip6 = ((struct sockaddr_in6 *) &sock_address)->sin6_addr.s6_addr;
dport = ntohs(((struct sockaddr_in6 *) &sock_address)->sin6_port);
} else {
sip6 = ((struct sockaddr_in6 *) &sock_address)->sin6_addr.s6_addr;
sport = ntohs(((struct sockaddr_in6 *) &sock_address)->sin6_port);
dip6 = ((struct sockaddr_in6 *) &peer_address)->sin6_addr.s6_addr;
dport = ntohs(((struct sockaddr_in6 *) &peer_address)->sin6_port);
}
} else {
/*
* Map the user-provided address to a sockaddr_in6
*/
usrsockaddr_in6 = (struct sockaddr_in6 *)usrsockaddr;
if (is_inbound) {
sip6 = usrsockaddr_in6->sin6_addr.s6_addr;
sport = ntohs(usrsockaddr_in6->sin6_port);
dip6 = ((struct sockaddr_in6 *) &sock_address)->sin6_addr.s6_addr;
dport = ntohs(((struct sockaddr_in6 *) &sock_address)->sin6_port);
} else {
sip6 = ((struct sockaddr_in6 *) &sock_address)->sin6_addr.s6_addr;
sport = ntohs(((struct sockaddr_in6 *) &sock_address)->sin6_port);
dip6 = usrsockaddr_in6->sin6_addr.s6_addr;
dport = ntohs(usrsockaddr_in6->sin6_port);
}
}
/*
* Pack the tuple info in the temporary buffer
*/
size = 1 + 16 + 16 + 2 + 2; /* family + sip + dip + sport + dport */
*targetbuf = socket_family_to_scap((u8)family);
memcpy(targetbuf + 1,
sip6,
16);
*(u16 *)(targetbuf + 17) = sport;
memcpy(targetbuf + 19,
dip6,
16);
*(u16 *)(targetbuf + 35) = dport;
break;
case AF_UNIX:
#ifdef UDIG
size = 0;
#else
/*
* Retrieve the addresses
*/
us = unix_sk(sock->sk);
speer = us->peer;
*targetbuf = socket_family_to_scap(family);
if (is_inbound) {
*(uint64_t *)(targetbuf + 1) = (uint64_t)(unsigned long)us;
*(uint64_t *)(targetbuf + 1 + 8) = (uint64_t)(unsigned long)speer;
} else {
*(uint64_t *)(targetbuf + 1) = (uint64_t)(unsigned long)speer;
*(uint64_t *)(targetbuf + 1 + 8) = (uint64_t)(unsigned long)us;
}
/*
* Pack the data into the target buffer
*/
size = 1 + 8 + 8;
if (!use_userdata) {
if (is_inbound) {
us_name = ((struct sockaddr_un *) &sock_address)->sun_path;
} else {
err = sock_getname(sock, (struct sockaddr *)&peer_address, 1);
ASSERT(err == 0);
us_name = ((struct sockaddr_un *) &peer_address)->sun_path;
}
} else {
/*
* Map the user-provided address to a sockaddr_in
*/
usrsockaddr_un = (struct sockaddr_un *)usrsockaddr;
/*
* Put a 0 at the end of struct sockaddr_un because
* the user might not have considered it in the length
*/
if (ulen == sizeof(struct sockaddr_storage))
*(((char *)usrsockaddr_un) + ulen - 1) = 0;
else
*(((char *)usrsockaddr_un) + ulen) = 0;
if (is_inbound)
us_name = ((struct sockaddr_un *) &sock_address)->sun_path;
else
us_name = usrsockaddr_un->sun_path;
}
ASSERT(us_name);
dest = targetbuf + 1 + 8 + 8;
unix_socket_path(dest, us_name, UNIX_PATH_MAX);
size += strlen(dest) + 1;
#endif /* UDIG */
break;
default:
size = 0;
break;
}
#ifndef UDIG
/*
* Digging finished. We can release the fd.
*/
sockfd_put(sock);
#endif
return size;
}
int addr_to_kernel(void __user *uaddr, int ulen, struct sockaddr *kaddr)
{
if (unlikely(ulen < 0 || ulen > sizeof(struct sockaddr_storage)))
return -EINVAL;
if (unlikely(ulen == 0))
return 0;
if (unlikely(ppm_copy_from_user(kaddr, uaddr, ulen)))
return -EFAULT;
return 0;
}
/*
* Parses the list of buffers of a xreadv or xwritev call, and pushes the size
* (and optionally the data) to the ring.
*/
#ifndef WDIG
int32_t parse_readv_writev_bufs(struct event_filler_arguments *args, const struct iovec __user *iovsrc, unsigned long iovcnt, int64_t retval, int flags)
{
int32_t res;
const struct iovec *iov;
u64 copylen;
u32 j;
u64 size = 0;
unsigned long bufsize;
char *targetbuf = args->str_storage;
u32 targetbuflen = STR_STORAGE_SIZE;
unsigned long syscall_args[6] = {};
unsigned long val;
u32 notcopied_len;
size_t tocopy_len;
copylen = iovcnt * sizeof(struct iovec);
if (unlikely(iovcnt >= 0xffffffff))
return PPM_FAILURE_BUFFER_FULL;
if (unlikely(copylen >= STR_STORAGE_SIZE))
return PPM_FAILURE_BUFFER_FULL;
if (unlikely(ppm_copy_from_user(args->str_storage, iovsrc, copylen)))
return PPM_FAILURE_INVALID_USER_MEMORY;
iov = (const struct iovec *)(args->str_storage);
targetbuf += copylen;
targetbuflen -= copylen;
/*
* Size
*/
if (flags & PRB_FLAG_PUSH_SIZE) {
for (j = 0; j < iovcnt; j++)
size += iov[j].iov_len;
/*
* Size is the total size of the buffers provided by the user. The number of
* received bytes can be smaller
*/
if ((flags & PRB_FLAG_IS_WRITE) == 0)
if (size > retval)
size = retval;
res = val_to_ring(args, size, 0, false, 0);
if (unlikely(res != PPM_SUCCESS))
return res;
}
/*
* data
*/
if (flags & PRB_FLAG_PUSH_DATA) {
if (retval > 0 && iovcnt > 0) {
/*
* Retrieve the FD. It will be used for dynamic snaplen calculation.
*/
if (!args->is_socketcall) {
ppm_syscall_get_arguments(current, args->regs, syscall_args);
val = syscall_args[0];
}
#ifndef UDIG
else
val = args->socketcall_args[0];
#endif
args->fd = (int)val;
/*
* Merge the buffers
*/
bufsize = 0;
for (j = 0; j < iovcnt; j++) {
if ((flags & PRB_FLAG_IS_WRITE) == 0) {
if (bufsize >= retval) {
ASSERT(bufsize >= retval);
/*
* Copied all the data even if we haven't reached the
* end of the buffer.
* Copy must stop here.
*/
break;
}
tocopy_len = min(iov[j].iov_len, (size_t)retval - bufsize);
tocopy_len = min(tocopy_len, (size_t)targetbuflen - bufsize - 1);
} else {
tocopy_len = min(iov[j].iov_len, targetbuflen - bufsize - 1);
}
notcopied_len = (int)ppm_copy_from_user(targetbuf + bufsize,
iov[j].iov_base,
tocopy_len);
if (unlikely(notcopied_len != 0)) {
/*
* This means we had a page fault. Skip this event.
*/
return PPM_FAILURE_INVALID_USER_MEMORY;
}
bufsize += tocopy_len;
if (tocopy_len != iov[j].iov_len) {
/*
* No space left in the args->str_storage buffer.
* Copy must stop here.
*/
break;
}
}
args->enforce_snaplen = true;
res = val_to_ring(args,
(unsigned long)targetbuf,
bufsize,
false,
0);
if (unlikely(res != PPM_SUCCESS))
return res;
} else {
res = val_to_ring(args, 0, 0, false, 0);
if (unlikely(res != PPM_SUCCESS))
return res;
}
}
return PPM_SUCCESS;
}
#ifndef UDIG
#ifdef CONFIG_COMPAT
/*
* Parses the list of buffers of a xreadv or xwritev call, and pushes the size
* (and optionally the data) to the ring.
*/
int32_t compat_parse_readv_writev_bufs(struct event_filler_arguments *args, const struct compat_iovec __user *iovsrc, unsigned long iovcnt, int64_t retval, int flags)
{
int32_t res;
const struct compat_iovec *iov;
u64 copylen;
u32 j;
u64 size = 0;
unsigned long bufsize;
char *targetbuf = args->str_storage;
u32 targetbuflen = STR_STORAGE_SIZE;
unsigned long syscall_args[6] = {};
unsigned long val;
u32 notcopied_len;
compat_size_t tocopy_len;
copylen = iovcnt * sizeof(struct compat_iovec);
if (unlikely(iovcnt >= 0xffffffff))
return PPM_FAILURE_BUFFER_FULL;
if (unlikely(copylen >= STR_STORAGE_SIZE))
return PPM_FAILURE_BUFFER_FULL;
if (unlikely(ppm_copy_from_user(args->str_storage, iovsrc, copylen)))
return PPM_FAILURE_INVALID_USER_MEMORY;
iov = (const struct compat_iovec *)(args->str_storage);
targetbuf += copylen;
targetbuflen -= copylen;
/*
* Size
*/
if (flags & PRB_FLAG_PUSH_SIZE) {
for (j = 0; j < iovcnt; j++)
size += iov[j].iov_len;
/*
* Size is the total size of the buffers provided by the user. The number of
* received bytes can be smaller
*/
if ((flags & PRB_FLAG_IS_WRITE) == 0)
if (size > retval)
size = retval;
res = val_to_ring(args, size, 0, false, 0);
if (unlikely(res != PPM_SUCCESS))
return res;
}
/*
* data
*/
if (flags & PRB_FLAG_PUSH_DATA) {
if (retval > 0 && iovcnt > 0) {
/*
* Retrieve the FD. It will be used for dynamic snaplen calculation.
*/
if (!args->is_socketcall) {
ppm_syscall_get_arguments(current, args->regs, syscall_args);
val = syscall_args[0];
} else
val = args->socketcall_args[0];
args->fd = (int)val;
/*
* Merge the buffers
*/
bufsize = 0;
for (j = 0; j < iovcnt; j++) {
if ((flags & PRB_FLAG_IS_WRITE) == 0) {
if (bufsize >= retval) {
ASSERT(bufsize >= retval);
/*
* Copied all the data even if we haven't reached the
* end of the buffer.
* Copy must stop here.
*/
break;
}
tocopy_len = min(iov[j].iov_len, (compat_size_t)((size_t)retval - bufsize));
tocopy_len = min(tocopy_len, (compat_size_t)(targetbuflen - bufsize - 1));
} else {
tocopy_len = min(iov[j].iov_len, (compat_size_t)(targetbuflen - bufsize - 1));
}
notcopied_len = (int)ppm_copy_from_user(targetbuf + bufsize,
compat_ptr(iov[j].iov_base),
tocopy_len);
if (unlikely(notcopied_len != 0)) {
/*
* This means we had a page fault. Skip this event.
*/
return PPM_FAILURE_INVALID_USER_MEMORY;
}
bufsize += tocopy_len;
if (tocopy_len != iov[j].iov_len) {
/*
* No space left in the args->str_storage buffer.
* Copy must stop here.
*/
break;
}
}
args->enforce_snaplen = true;
res = val_to_ring(args,
(unsigned long)targetbuf,
bufsize,
false,
0);
if (unlikely(res != PPM_SUCCESS))
return res;
} else {
res = val_to_ring(args, 0, 0, false, 0);
if (unlikely(res != PPM_SUCCESS))
return res;
}
}
return PPM_SUCCESS;
}
#endif /* CONFIG_COMPAT */
#endif /* UDIG */
#endif /* WDIG */
/*
* STANDARD FILLERS
*/
/*
* AUTOFILLER
* In simple cases in which extracting an event is just a matter of moving the
* arguments to the buffer, this filler can be used instead of writing a
* filler function.
* The arguments to extract are be specified in g_ppm_events.
*/
int f_sys_autofill(struct event_filler_arguments *args)
{
int res;
syscall_arg_t syscall_args[6] = {0};
syscall_arg_t val;
u32 j;
int64_t retval;
const struct ppm_event_entry *evinfo = &g_ppm_events[args->event_type];
ASSERT(evinfo->n_autofill_args <= PPM_MAX_AUTOFILL_ARGS);
for (j = 0; j < evinfo->n_autofill_args; j++) {
if (evinfo->autofill_args[j].id >= 0) {
#ifdef _HAS_SOCKETCALL
if (args->is_socketcall && evinfo->paramtype == APT_SOCK) {
val = args->socketcall_args[evinfo->autofill_args[j].id];
} else
#endif
{
/*
* Regular argument
*/
ppm_syscall_get_arguments(current, args->regs, syscall_args);
val = syscall_args[evinfo->autofill_args[j].id];
}
res = val_to_ring(args, val, 0, true, 0);
if (unlikely(res != PPM_SUCCESS))
return res;
} else if (evinfo->autofill_args[j].id == AF_ID_RETVAL) {
/*
* Return value
*/
retval = (int64_t)(long)syscall_get_return_value(current, args->regs);
res = val_to_ring(args, retval, 0, false, 0);
if (unlikely(res != PPM_SUCCESS))
return res;
} else if (evinfo->autofill_args[j].id == AF_ID_USEDEFAULT) {
/*
* Default Value
*/
res = val_to_ring(args, evinfo->autofill_args[j].default_val, 0, false, 0);
if (unlikely(res != PPM_SUCCESS))
return res;
} else {
ASSERT(false);
}
}
return add_sentinel(args);
}
|
