UProbes not Working with Non-Zero Function Offsets

eunomia-bpf / bpftime

Userspace eBPF runtime for Observability, Network & General Extensions Framework

https://eunomia.dev/bpftime/

MIT License

834 stars 78 forks source link

UProbes not Working with Non-Zero Function Offsets #362

Closed TheAhmad closed 2 days ago

TheAhmad commented 5 days ago

Hi,

I am experimenting with the malloc example. It works successfully with victim. I changed the UProbe offset from 0 to 135 (here). 135 is a valid offset in the system glibc: 0x00000000000970a4 <+132>: mov %rbx,%rsi 0x00000000000970a7 <+135>: callq 0x94330 <_int_malloc> 0x00000000000970ac <+140>: test %rax,%rax The kernel eBPF (i.e., running without bpftime) shows probe hits, while running victim with bpftime causes no hit. Any hint is appreciated!

Regards.

TheAhmad commented 2 days ago

The offset was not touched by victim. The kernel eBPF traces all running processes. Some non-victim running processes were touching the offset, causing probe hits for the kernel eBPF.