From 0e5571e156196f4ab0cb65014fa81e5905758d2f Mon Sep 17 00:00:00 2001 From: "M. Mert Yildiran" Date: Tue, 31 May 2022 15:12:37 +0300 Subject: [PATCH] Fix the read data address --- tap/tlstapper/bpf/golang_uprobes.c | 4 ++-- tap/tlstapper/tlstapper_bpfeb.o | Bin 124960 -> 124984 bytes tap/tlstapper/tlstapper_bpfel.o | Bin 124960 -> 124984 bytes 3 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tap/tlstapper/bpf/golang_uprobes.c b/tap/tlstapper/bpf/golang_uprobes.c index 12bfd6eb7..d95040e55 100644 --- a/tap/tlstapper/bpf/golang_uprobes.c +++ b/tap/tlstapper/bpf/golang_uprobes.c @@ -79,8 +79,8 @@ static __always_inline int golang_crypto_tls_read_uprobe(struct pt_regs *ctx) { b->conn_addr = ctx->rsi; // go.itab.*net.TCPConn,net.Conn address b->is_request = false; - // Address at ctx->rbx - 0x2bf holds the data - __u32 status = bpf_probe_read_str(&b->data, sizeof(b->data), (void*)(ctx->rbx - 0x2bf)); + // Address at ctx->rbx & 0xfffffff000 holds the data + __u32 status = bpf_probe_read_str(&b->data, sizeof(b->data), (void*)(ctx->rbx & 0xfffffff000)); if (status < 0) { bpf_printk("[golang_crypto_tls_read_uprobe] error reading data: %d", status); bpf_ringbuf_discard(b, BPF_RB_FORCE_WAKEUP); diff --git a/tap/tlstapper/tlstapper_bpfeb.o b/tap/tlstapper/tlstapper_bpfeb.o index 89aeec42e57179b26acf043a4dcbe43e14efd076..05526beae6ebb70ede85b072ffeb4f7ef1083fb5 100644 GIT binary patch delta 4008 zcmb7GeQaFC5ubVQf2R7|PLr>IfrjLff>IVymGIQc)eL zQT<1Xk0wG^i@?!?+aMvusT9YSQk2MsxKbhxHB}v{RZT@DSB=0f6f7j#sGzD*jnd!j z?z7&V8q}`z-t2E@c4p`IX7+Auu3~1cVziBi&S&b6a+Tk6^sZQ}lIX^bYh=fb$J@

63{L@MQGoI zgq9(qzgdkpMi%qm`Ik<&@%#SA@HYK<-qw|P^Y0x`@T@;D9*rNq>8|7B(RDvV9D9cP z7yZ}9x8dZA0zxzxy{^b7=5gH~4Q(HpiPbnEWNmw{<8YP}8z?>a)p@YS!QGWrn_MMkbS)`rD=FtA}5LnK+g4 z1)_}?Ap_ijPyI;o53d_Qo12#en4TyveAN@39ExU%2osP)3A%~4}vbjsIc15<7z7=8YGW2hHK&x^F{N#+PkZ+GwDXBc)Vw1iBEF zy!O9R$!kA{%DN8XhEggyRZ1miOR3~sh|0RB)%k5ENldG@uTaU4lv2r$lv1hn0hM)s zB>q+@m3$yXWqqAGwcSL)l<&AHl{^S4^_7=2MAyF!{7;mJKtvEMRXJj*T)~z~!BUl@ zmdg6K)ulE*IUFntm9xf818!q|zo1HGo5q#Uqkc4gnCPs0@r4lH0F0_#u}AMR_Gmna z`V*=%21`9%6sogCw`hYm)Ri6lz$%ILhKjfG1K+?@3P|o3eX;L>dknE|#AS|1C0T!3 zmi4D)SudAneLvg?8OxIOoN+52^{`nsK1=L*SV1fa>mEUyiT%IqG3M2&40p+)8|T#` zrgvhxc_VR7aX@Et=Pvmo!EkdXmRz+(P~mnP zy!rR|`9V*){UMAf?x4Ym3gSUTafizAh{b8*V<=;H%;G)7FMb*L9MP~On+ObMLIx6G z!QvN)U%@r%E*ZS$d&CoUz&6dqIPsWZn``QfrmXe@Cp6AcfOlZ8FLrVgVqnn!+R zB`hvu=PtQnuxAC!4dW4gQRiU;O7{p(){t|bRGei3%s4$bAop8+zuJ4Jsjy_fdKpvO zT+V)+LH{edm-NuyJ|ZVCD8$mSGM0{&vGiOiOSZY3=Rz!L|MHqQhiXcZGm`|iETOra zqS#xOnhvXEr)e%s2QZc9YMLTvKGa-I%j7JeDnrfXEJ^CtOY;u(R;NiF(`5Fh&E@uh zilDigpCV`ZHsD@!R*m7+?Kc>`;Z{oX%v!vMTu++E=C-0=2p?smbR!DL4yV=$V>?SL+l4PiKsbQ>HTAn29EWpcBkAHqK_`N${{SAOdv zd9$JUoI142G!Le4?czR_+|6I(xeG(P`3G@cxUjU3AO9&YsP1>Tlb2Nf9sZK@EUBW% z5h}dP_wb0yiKtY05hqkpi^2jxx5|kaRCy6uRTSYB7V+*?IS~UY53%M6(xdI`q^|v$ zH>r0Q+2f0azlgcYiI`P+5lgBlqPy@O4)Ew|m3t59pvsF#tD=aJ!uw*Oav~;FUc^CF z6fsixE8ZtmPQ;ALi4_Lj*g3U>{;}Ugbp$siKJ23rp<% E2O7?mjQ{`u delta 4042 zcmb7GeP|rV6@PE{9NV#E$(EH{efd_FWSwFwI@wAkStgO&n5bALGPc9H4fQ!q69~kiaTAj2jfTWe!^EOF@zqoS-5n5s4Dc`9jdToc<^rCAHwDnrFU#RT=i^-XcZAfiNdELJMmzIf9t(C9&UOa({4N&th@;cEklGe zYw(NFh53ixrSUfYi+2m&Uil_(r3K!+0}~Ox=>2#iTy^5MyIz_ImyRNi$)V=w-Uk!g zkohMQ;ik{A%ZAQD4h5NGZ3CWOqPlfn>tqB}?4Jx*J^Ft{c?r9Qyo;0Jrqurw<h_? z09)Zr#tx#&*C6w_1Lu7`fP09l76SNwqMFG7egOBt4d6Z^SME#RUq4a(I{`dEG_!Hx zxr4_>h{|x76%KL#K^P^CL(`r!G9y%3nz{;Y}{ zD%y-ZeoxjWT<}0mmJ_HcTt`-|;AOoJ=V)z*v48p6;19zo!?V>-l?Yr2wmu?ytQ5-f z0ESLpRHC;-L{H%!+#x6Il&L>7^VuKe*YAK`R@-5wM^0ns5u%e)H}diQoFp2Bz2q-= zHLgJlaoN>)6*x$XK5F)lt8A3NzY3<#xQexK&taMVhv)(tnDbEt-wC{Ab{V~8s;k1D zIm|8NRieC)D3)IgTJfODwCE_9x_5KWlh~0T_K5ZhE-8z|{l;z6TB)JxGt-tP8o1<8 zA(tG2F2E(1NKbu@N-p^ZDyv(GYYVC5#zHE&tB^|W4NzJAteW4Zi^Md#eT7OsR7fQs zDx}ia=c%mzBk?1JRPtj1Dr+j#>~XQ|RPrFG^xt{)n#!6>!2ibe5QqqZkfksl|EwFBsfX+2-SN=y891ypQPoUBHV0EH_{| zV2^HQ?D6fN#C=0r9Mf3t)0|MpHwR5UHT*PvKsgQS`#Xr$trYEUbDj%!G`aQgv2u6OaBdRn`p?yDnA`OWfKg(Pm=* zg-K&U&BnM#lCE1&UtoGKrkmFj_m(1g<7M;1#C;a9@q*fUKx#K$HlJ3<+jZ%f&bD)p zoJfAyy*ieBUoxP=?$dblJib5ZDLWCsh++?F96^9VM6rj8aMIv<;!#{wU;!$^9kZ})xf6A$XVjFU{fZUA&o8meR~&w6v_h_ zx{!^7vbJ{18^)yNV|l~4MBno3Faf1|1lO04^#JN%!vvVI`jH?f zjQ)s9+^cU`{Sh^dsc9}NjvV~IMSI8}zPD>+jR*>`Gz#xQmPU(MI#bBfcafBkcP7A+ zc=Sh3C$$A1-r0Jr7?#jnRz~a%OIuEm_5Kbu7vs*gaA)96z;1!($;u(Ae3NbYjI2f6 z&Onn{OG1J1*3eAW^&RS|c79O2893L@owsQ=yC2l#o2}t-vTm*e9?-e_7~buK#^@Eh zT$*X#;N4`q(oCk-75!pBk8GtEbh9PNj-r_Y&0u$+c|wi}c!uolf?bWtj8IHtG?U!{ zU8pO7;XKr*aXx{3??m1vyG!&#_)jK>jw@sLqN31<-q0|mlHIzQFkR~A18UbUKFpan z#&+@3Rh)hO5Fb6wS(UiVot#st%Y2{pvt_mCDp#t1UFH_+`DNu?;rn?=#UT*OAC@|L zg=^JY_~E3=i9u31ix6EZE+U~)BBClMqFgywA$nC@!~vCpSbJEzY8z0CR}p+%Ie&$6 zjf#tyRw)r#l@k$D&NU?Vy=4`@1~{NnBFa@x#GrEi=G(+YjH#4}0hJR0-QOWbR9r+_ zr9@1toCqZK4~Rh(7lD8xVk)N>osSXlhY0vFRx>IkBB62+Yk#8?FS)1^SK0Y5xp1MN diff --git a/tap/tlstapper/tlstapper_bpfel.o b/tap/tlstapper/tlstapper_bpfel.o index fcfd17fde65d7768af24e56715e2f63f71deb256..0db64f972817c8e3230f7c840da52b1f0de0f55b 100644 GIT binary patch delta 4142 zcma);e{57$7RS$hQ>G)@G8C9;Yhk9grGsVrLvTASs}vFJE={fCMuLhZiz~ZPwkDG8 zWZAY^h+$WwZJx{F55qP_N}CXZwn}SIF}hk4e>6rmvx(`J)s@D?AJNUmG3>hEbKkw4 zHp=*#cE!;|E3?=l$? zjSn9DdxdHk|Ml=|1?qrXe>|q1ayySl%le{3i--ymFdD+RS(_7$xqZi@H7{YN1vBT+ zU$t5s@g~M-p(GyfxGx@WX!;m4P+Zlj75d@a05MT^nf;4$_IGa_iK%IK*GRN%|J9dU z^(eIVR!_Rmjnu)H*^y|?e=CRr@TC;z=JD~4g%$Vl<41-_A zfB3nNpNOe`_tc4K&0i{i$hn`Mi1kmvQlfM#&MK_-&RUK!=BNZ++A_?`IF4Rn#%&k} z(Ph3Hz1GYRVBCZ;TJddo$Ud!k+>zyeZE#O^Li7GSKA6Xk=ke2d{Cpn2oyQkER*Kxh zu~q65clB7U`oirTt1418*Lw{I+}BJL4rE8LgIs>-f`79K4T_jbtxtpNSn@o&dI zTUNX}-q`y~uQfI{j(`5rqb2=+M!riBq+N%8c14!ggTMCDRMfNqJ&p9V_8Y;ckXn{+ z2G@Ftf)P;$5N=j$ARJ zC}cP(JPCF@z4m!p=^qYDb(70~$n~pn`Fig3#6F1rKSYSukV9SOOyMYahmW^_yL~Kr z>$8qv*jez=uD3qwh(d3D6s`sjd;2+*;o@2qt9&2l7B7bfekV(v1t+VyvsOhrCHWe# zR9d8z=tt;sw~*lvu|v@wqOgxcU@;T>0=(Q-JV5#fj+DB;JAbU-P6shPW6U6QOXDf} zU!bo%fX{;A1K1{b2!Pv)zN!$%9wmw!uEX~rI82lypu=PsJrwj zJ2`l*+MvD0{dF6FH?oUP9E3nB+8^XgU~x4k$OS4l$Y5-t_t8PV%Bv#T*R~`EFQb1! zbm-===Coo$o1_xJBr0?COv29(ZWDoR6(FrB1=Z@;w-!gkuMy$&Dv=%|(?)+gIC7F`&c{o@ zU*@e3Bfhe}2lhqC#74t9^Umr_4{C!~_>FqCZIRf%!jT5GZKn*qca-;W*o>{E$$SSs z7IId|unxt)^Fjg63B@HF3aRHUvW?CvOwX8YAat`{K7wQ7NEz#uu4kmoH?WfRX+GAd zHt0*Ic^1R#Wp>3X_=?<;suaEl?6hMSzwcex#qbb!HW}B4_*fINLRQ(aw(R7?-PI(dB9a02?JhZGGP-VDC!Nkyjv)UOY;29rJm2L^M7 zpTL6Rr%()r?_W$*J_<> zqAtTahb9#5FkHgL>rh>?cM0!XrkA$02aLVS52vE4p@)0qQNlKO^~(b&9kFXuvEu&HGwR@to#&Th#3wYgMX=6KVrYF6`{npGPedW2t`RX5^q9e)d{4s**t)J7HNl!&7|<%x`l zc5a!2=;4%zBu|Nmb4ElLw_JeO%_)d0?i=>Jy^~+PfV0kWMwD@G`6t9Qr$o&2l!$iD zKscehxb-8Pzn4=VVK%{2A`Wv#1P=ZfVw6)N_VSbn=tLalmVZG^a!SNBPl-ryMg*Ms kL{FwfwDXh*tb=eud${!?4oq|EB4&GeO2iACxu|OY57p12@c;k- delta 4118 zcma);e{57$7RS$hGYk((+ZhT>TU$G0TiVigI|Eb-6T~xAhL~1I(eE)vKyJ0w50|%HHEeD2dS>RA-mCZHd#~6^223W`UkEJk&Qp2-*ex+ zoi~$}c#}KleeOB$+Q8?0YiG+yg?Q1~GZHS@A0}Ev7AzW{Ol6|+_?5;!5np6GO zd1tg9vHW*5T>ZZ?BE;)2#=cpx;A|nRwPWTvYsM<#h2`#P@5YKA){k-VP~?a2`_fp2 z=y%SJg{zN6f5^UHj#Uhtf+c6^Uf#6I-D?Fdu|~^z4PzPB`8tBRQeU^@I)KURy_gZb zK8WizxW*_*;D`OJ%i)d;4=98CGYg9M8NYLMJdCm(g?6R${&;1{E!8TbLJn^a|6uqrD<_w}@<~x%VRQQp@_4b+IbAfl{_O7M14oP8OtAf0%rh%9ydHebtyNZ2D`pxs%9-QQhB=1% zGQ15OajS*Z)QLG1$>_I(&qg!cO*C1UezxbqK`8FU(Tj1Ip6!B;c(@*X%)=|dCp7oq z883QNsFvgVuj3@*DM1_*;!uOv$K)qfq9T4B%jLs@xPO&7xE>tya21$4Rq5sCYEdDg z@&Skk`%rw9Cj|9tEpr$==;3u>b9kd4_UP}1-UMUxDWjL?u}$r5b$Jf5?v2IBSjE>x#n=1JA4?sw0b#XcZ817`)TN9pGLMv)+WL z5*D-;LNfQ8kXT<2y$OlA3Y>ENS#(`i*Wes~!@dP8tn8SIt%aD%QDjTXESlFbs^{2X zsp4ybFCK-(M5{6Ru(sxZ!e#!$L_rVRU^ZiWzYlfr1l|TQUXX9E5y$tM^}rKEGujS9 zjamG%em7?M0it=$2jC}g2!QjkzH%}4J%(b}T#v6pAVpNGc|^WfD}KI+O-E#7ooKy} zFTcVJohF*qR?JJma~@{Bji}hZ5Upmv39p*fF7Fb>H2282>hvx>vV4tbeT?riV-RO% zR=Gr=+_>Ic-T-qzS-JF!>|BD`CHqmiT;?{5o5}&R9KiDTrLwUUsVo!OsjNc8I%t*3 z7LlFGcJ!#$@5lY|ZRkmGn;)+S%mO@`PC@cwz1XUfykAx~c$557k)334R+7Oc$?wCz zy&L;^ll(Bk)LbObH0UH3$(4;aOLCu3Z^Nj50`K9?_$el#a5%}#s$lVg2zuBCbCOxF zl01w@%q-JQ;`o4B4q*A5Hmk?SJAA^eU)D1R!LwT51zvTM=#qyE!Sgxy2a#01|1sF- zqw->!Ri(X2ob-S)n3CszB)S%{?UZb65?#CaQk53Y#P9sO;F<@ocYt{>TeFJ#vz(~G zSy6xOjk=57a54f|p3!a~)G$#FV4Fz9EiJZJU5dK-99GO}=;IB-dFF#=b@H^l5fiP= ztSYz_0i(*e6`Ah`TPP`h0WqrtbiuTuS4)XXPasUq$DuDxAxzCCARA4_0kM4q_CXKZ;D~>NYhVsgs}0_QL;IwlZp|u> zrv>fQoF}W-p_|xuo;Vky>+!|$a1d;2M|DsO_R0r#`19DXw84iSaUYe* zX-u=~DcHAo*amlMHU}^*q*|)QNBw^MNm|HRyN?F-4de3gM%`26^2$cBL$+)Z-D3K+ z-)s_3mWY|xzUUFZ7!osb*9Eab%*x~i(PqsbmVdt>wpjDe$>kTt7SS&g7eyPssYw<` zWZD&>OQ05+V9_g+ENW$%MNo!5hG>@w773YzSaM&=jka5U_%Zexk)eM