tetragon icon indicating copy to clipboard operation
tetragon copied to clipboard
verified publisher icon cilium

returnCopy does not update the appropriate arg value within the event

Open andrewstrohman opened this issue 1 month ago • 1 comments

What happened? How can we reproduce this?

With the following policy:

apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
  name: ret-test
spec:
  kprobes:
    - call: "sys_read"
      syscall: true
      args:
#      - index: 0
#        type: "int"
      - index: 1
        type: "char_buf"
        returnCopy: true
        sizeArgIndex: 3
      - index: 2
        type: "size_t"

The args in the events look like:

"args":[{"bytes_arg":""},{"bytes_arg":"read string"}]

This is happening here. enterArgs is ordered based on the ordering of the spec file -- it's not indexed based on the args position within the function signature.

So this issue happens when a returnCopy arg specifies an index that is not the same as that arg's offset within the policy.

retArg.GetIndex() has different semantics depending on what type of hookpoint is used. For uprobe and lsm, GetIndex() returns the position within the spec. For kprobe and usdt, GetIndex() returns the index value specified for the arg in the spec. Put another way, it's the arg position within the function signature.

Perhaps we should consider changing the semantics of GetIndex() for kprobe and usdt to be the same as uprobe and lsm, for consistency.

Tetragon Version

v1.7.0-pre.0-133-gb82408601

Kernel Version

6.8.0-87-generic, but the issue is not specific to kernel version.

Kubernetes Version

N/A

Bugtool

No response

Relevant log output

Anything else?

No response

andrewstrohman avatar Nov 19 '25 00:11 andrewstrohman

I'm trying to address this as a part of https://github.com/cilium/tetragon/pull/4327

andrewstrohman avatar Nov 19 '25 03:11 andrewstrohman