fix(driver-modern-bpf): fix USER vs MEMORY attribution in execve filler

Collectively verified that this fixes issues in execve params 2, 3 and 16. Co-authored-by: Andrea Terzolo <andrea.terzolo@polito.it> Co-authored-by: Hendrik Brueckner <brueckner@de.ibm.com> Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
falcosecurity · Oct 13, 2022 · 6efefb9 · 6efefb9
1 parent 509b66a
commit 6efefb9
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/execve.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/execve.bpf.c
@@ -79,15 +79,15 @@ int BPF_PROG(execve_x,
 		/* We need to extract the len of `exe` arg so we can undestand
 		 * the overall length of the remaining args.
 		 */
-		u16 exe_arg_len = auxmap__store_charbuf_param(auxmap, arg_start_pointer, KERNEL);
+		u16 exe_arg_len = auxmap__store_charbuf_param(auxmap, arg_start_pointer, USER);
 
 		/* Parameter 3: args (type: PT_CHARBUFARRAY) */
 		/* Here we read the whole array starting from the pointer to the first
 		 * element. We could also read the array element per element but
 		 * since we know the total len we read it as a `bytebuf`.
 		 * The `\0` after every argument are preserved.
 		 */
-		auxmap__store_bytebuf_param(auxmap, arg_start_pointer + exe_arg_len, total_args_len - exe_arg_len, KERNEL);
+		auxmap__store_bytebuf_param(auxmap, arg_start_pointer + exe_arg_len, total_args_len - exe_arg_len, USER);
 	}
 	else
 	{
@@ -203,7 +203,7 @@ int BPF_PROG(t1_execve_x,
 		 * since we know the total len we read it as a `bytebuf`.
 		 * The `\0` after every argument are preserved.
 		 */
-		auxmap__store_bytebuf_param(auxmap, env_start_pointer, total_env_len, KERNEL);
+		auxmap__store_bytebuf_param(auxmap, env_start_pointer, total_env_len, USER);
 	}
 	else
 	{