fix(ebpf): adjust hidden kernel module event to v6.4 (#3360)

The struct that kept the address of which the module resides has changed: use the correct field based on the existence of the needed type (or not, in previous versions).
aquasecurity · Aug 3, 2023 · 12101ff · 12101ff
1 parent ba91923
commit 12101ff
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 4 deletions.
diff --git a/pkg/ebpf/c/tracee.bpf.c b/pkg/ebpf/c/tracee.bpf.c
@@ -857,8 +857,14 @@ statfunc int check_is_proc_modules_hooked(program_data_t *p)
         }
 
         // Check with the address being the start of the memory area, since
-        // the address from /proc/modules is the base core layout.
-        mod_base_addr = (u64) BPF_CORE_READ(pos, core_layout.base);
+        // this is what is given from /proc/modules.
+        if (bpf_core_field_exists(pos->mem)) { // Version >= v6.4
+            mod_base_addr = (u64) BPF_CORE_READ(pos, mem[MOD_TEXT].base);
+        } else {
+            struct module___older_v64 *old_mod = (void *) pos;
+            mod_base_addr = (u64) BPF_CORE_READ(old_mod, core_layout.base);
+        }
+
         if (unlikely(mod_base_addr == 0)) { // Module memory was possibly tampered.. submit an error
             ret = 7;
             break;

diff --git a/pkg/ebpf/c/vmlinux.h b/pkg/ebpf/c/vmlinux.h
@@ -688,7 +688,21 @@ struct kset {
     struct list_head list;
 };
 
-struct module_layout {
+enum mod_mem_type
+{
+    MOD_TEXT = 0,
+    MOD_DATA,
+    MOD_RODATA,
+    MOD_RO_AFTER_INIT,
+    MOD_INIT_TEXT,
+    MOD_INIT_DATA,
+    MOD_INIT_RODATA,
+
+    MOD_MEM_NUM_TYPES,
+    MOD_INVALID = -1,
+};
+
+struct module_memory {
     void *base;
 };
 
@@ -698,7 +712,7 @@ struct module {
     const char *version;
     const char *srcversion;
     struct module_kobject mkobj;
-    struct module_layout core_layout;
+    struct module_memory mem[MOD_MEM_NUM_TYPES]; // kernel versions >= 6.4
 };
 
 struct rb_node {

diff --git a/pkg/ebpf/c/vmlinux_flavors.h b/pkg/ebpf/c/vmlinux_flavors.h
@@ -85,6 +85,18 @@ struct kernel_cap_struct___older {
 
 typedef struct kernel_cap_struct___older kernel_cap_t___older;
 
+// struct module //
+
+struct module_layout {
+    void *base;
+};
+
+struct module___older_v64 {
+    struct module_layout core_layout;
+};
+
+///////////////////
+
 #pragma clang attribute pop
 
 #endif