Callback not receiving valid pointer for filepath when sent from 32bit user process


I'm trying to get the filepath for the opened file for the sys_openat syscall for both 32bit and 64 bit processes. 64 bit processes work fine. For 32 bit processes I had to register for __ia32_compat_sys_openat (instead of __ia32_sys_openat) to get the callback to get called at all. However the pointer for pathname appears to always get the same address pointing to invalid memory 00000000e662cc4c, the ctx->si points to the same address. The flags come through fine so it seems like I'm missing something in the documentation I need to do to convert the 32bit pathname address?

int syscall__openat(struct pt_regs *ctx, int dirfd, const char __user *pathname, int flags) {
    u32 pid = bpf_get_current_pid_tgid() & 0xFFFFFFFF;    

    char buf[64];
    int len = bpf_probe_read_str(buf, sizeof(buf), pathname);
    bpf_trace_printk("**OPENAT len %d\n", len);
    bpf_trace_printk("**OPENAT %p Pid %d pathname: %s\n", pathname, pid, buf);
    bpf_trace_printk("**OPENAT flags %d\n", flags);
    return 0;


asked on Stack Overflow Jan 25, 2021 by Steven Wootton • edited Jan 25, 2021 by thoni56

0 Answers

Nobody has answered this question yet.

User contributions licensed under CC BY-SA 3.0