Kernel bug in rocky9.3 for sys_enter_exec hook ( for exec syscalls)

unknownhatuser · March 3, 2025, 11:09am

In Rocky Linux 9.3 running kernel version 5.14.0-362.8.1.el9_3.x86_64, the tracepoint at sys_enter_execve has incorrectly aligned arguments for the exec system call. When attempting to access the filename and argv fields, the argv field incorrectly returns envp values instead.

Environment

Operating System: Rocky Linux 9.3
Kernel Version: 5.14.0-362.8.1.el9_3.x86_64

Steps to Reproduce

Examine the tracepoint structure:

$ sudo cat /sys/kernel/debug/tracing/events/syscalls/sys_enter_execve/format

Verify the issue using bpftrace:

$ sudo bpftrace -e 'tracepoint:syscalls:sys_enter_execve {
    printf("exec: %s\n", str(args->filename));
    printf("argv[0]: %s\n", str(args->argv[0]));
    printf("\n");
}'

Expected Behavior

The filename and argv field should contain filename and command line arguments as defined in the tracepoint format.

Actual Behavior

The argv field returns environment variables (envp values) instead of command line arguments and nothing comes up in filename .

Technical Details

The tracepoint format shows the following field arrangement:

[adminuser@rock93 ~]$ sudo cat /sys/kernel/debug/tracing/events/syscalls/sys_enter_execve/format
name: sys_enter_execve
ID: 745
format:
field:unsigned short common_type; offset:0; size:2; signed:0;
field:unsigned char common_flags; offset:2; size:1; signed:0;
field:unsigned char common_preempt_count; offset:3; size:1; signed:0;
field:int common_pid; offset:4; size:4; signed:1;
field:unsigned char common_preempt_lazy_count; offset:8; size:1; signed:0;

    field:int __syscall_nr; offset:12;      size:4; signed:1;
    field:const char * filename;    offset:16;      size:8; signed:0;
    field:const char *const * argv; offset:24;      size:8; signed:0;
    field:const char *const * envp; offset:32;      size:8; signed:0;

print fmt: “filename: 0x%08lx, argv: 0x%08lx, envp: 0x%08lx”, ((unsigned long)(REC->filename)), ((unsigned long)(REC->argv)), ((unsigned long)(REC->envp))

However, when accessed via eBPF through bpftrace, the values from envp are being returned when querying argv.

Impact

This misalignment affects any tracing tools or software that relies on the correct argument arrangement in this tracepoint, potentially causing incorrect data collection or analysis

In Rocky Linux 9.3 running kernel version 5.14.0-362.8.1.el9_3.x86_64, the tracepoint at sys_enter_execve has incorrectly aligned arguments for the exec system call. When attempting to access the filename and argv fields, the argv field incorrectly returns envp values instead.

iwalker · March 3, 2025, 11:10am

Rocky 9.3 is no longer supported. Current Rocky 9 version is 9.5.

nazunalika · March 3, 2025, 4:12pm

Echoing @iwalker, Rocky Linux 9.3 is not supported. See the current supported releases section of our wiki.

The forums are also not a place to report bugs. If this is a bug in Rocky Linux 9.5, the current supported release as of this writing, please open a bug report.