In Rocky Linux 9.3 running kernel version 5.14.0-362.8.1.el9_3.x86_64, the tracepoint at sys_enter_execve
has incorrectly aligned arguments for the exec system call. When attempting to access the filename and argv fields, the argv field incorrectly returns envp values instead.
Environment
- Operating System: Rocky Linux 9.3
- Kernel Version: 5.14.0-362.8.1.el9_3.x86_64
Steps to Reproduce
- Examine the tracepoint structure:
$ sudo cat /sys/kernel/debug/tracing/events/syscalls/sys_enter_execve/format
- Verify the issue using bpftrace:
$ sudo bpftrace -e 'tracepoint:syscalls:sys_enter_execve {
printf("exec: %s\n", str(args->filename));
printf("argv[0]: %s\n", str(args->argv[0]));
printf("\n");
}'
Expected Behavior
The filename and argv field should contain filename and command line arguments as defined in the tracepoint format.
Actual Behavior
The argv field returns environment variables (envp values) instead of command line arguments and nothing comes up in filename .
Technical Details
The tracepoint format shows the following field arrangement:
[adminuser@rock93 ~]$ sudo cat /sys/kernel/debug/tracing/events/syscalls/sys_enter_execve/format
name: sys_enter_execve
ID: 745
format:
field:unsigned short common_type; offset:0; size:2; signed:0;
field:unsigned char common_flags; offset:2; size:1; signed:0;
field:unsigned char common_preempt_count; offset:3; size:1; signed:0;
field:int common_pid; offset:4; size:4; signed:1;
field:unsigned char common_preempt_lazy_count; offset:8; size:1; signed:0;
field:int __syscall_nr; offset:12; size:4; signed:1;
field:const char * filename; offset:16; size:8; signed:0;
field:const char *const * argv; offset:24; size:8; signed:0;
field:const char *const * envp; offset:32; size:8; signed:0;
print fmt: “filename: 0x%08lx, argv: 0x%08lx, envp: 0x%08lx”, ((unsigned long)(REC->filename)), ((unsigned long)(REC->argv)), ((unsigned long)(REC->envp))
However, when accessed via eBPF through bpftrace, the values from envp are being returned when querying argv.
Impact
This misalignment affects any tracing tools or software that relies on the correct argument arrangement in this tracepoint, potentially causing incorrect data collection or analysis
In Rocky Linux 9.3 running kernel version 5.14.0-362.8.1.el9_3.x86_64, the tracepoint at sys_enter_execve
has incorrectly aligned arguments for the exec system call. When attempting to access the filename and argv fields, the argv field incorrectly returns envp values instead.