If you are familiar with BPF, you likely know about the existing helper function bpf_probe_write_user, which can overwrite user space data. This function takes a pointer to the data to be overwritten, a pointer to the data from user space, and the size of the data to be overwritten.

But… there is no BPF helper function that can override parameters of a system call that are passed as direct values into registers.

Essentially, I propose a new BPF helper function, similar to bpf_probe_write_user, but designed to override the direct values of system call parameters.

For example, let’s take the system call open:

int open(const char *pathname, int flags);

Using bpf_probe_write_user we could modify the pathname parameter to a file of our choice. However, if we wish to preserve the flags parameter (or not), while also adding O_APPEND in case of a write, with the current BPF API, we cannot. We cannot modify the value of the register that holds the flags parameter using bpf_probe_write_user.

In order to override register values we have to add a new BPF helper function into the kernel, preferably implement it for every architecture the kernel supports 😭, and also add the new function reference in the BPF compiler BCC.

Someday, I may make the effort of writing an implementation that would work for all architectures, but for now I am going to describe a patch to make it work for the x86_64 architecture.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52

/arch/x86/include/asm/ptrace.h
273,292d272
< static inline void regs_set_register(struct pt_regs *regs,
< 					      unsigned int offset,
< 					      unsigned long value)
< {
< 	*(unsigned long *)((unsigned long)regs + offset) = value;
< }
< 
391,414d370
< }
< 
< static inline void regs_set_call_argument(struct pt_regs *regs,
< 					  unsigned int n,
< 					  unsigned long value)
< {
< 	static const unsigned int argument_offs[] = {
< 		offsetof(struct pt_regs, di),
< 		offsetof(struct pt_regs, si),
< 		offsetof(struct pt_regs, dx),
< 		offsetof(struct pt_regs, cx),
< 		offsetof(struct pt_regs, r8),
< 		offsetof(struct pt_regs, r9),
< 	};
< 
< 	regs_set_register(regs, argument_offs[n], value);

/include/uapi/linux/bpf.h
5719d5718
< 	FN(override_args, 212, ##ctx)			\

/kernel/trace/bpf_trace.c
163,178d162
< BPF_CALL_3(bpf_override_args, struct pt_regs *, regs, unsigned long, n, unsigned long, value)
< {
< 	if (unlikely(n > 6)) return -EACCES;
< 	regs_set_call_argument(regs, n, value);
< 	return 0;
< }
< 
< static const struct bpf_func_proto bpf_override_args_proto = {
< 	.func		= bpf_override_args,
< 	.gpl_only	= true,
< 	.ret_type	= RET_INTEGER,
< 	.arg1_type	= ARG_PTR_TO_CTX,
< 	.arg2_type	= ARG_ANYTHING,
< 	.arg3_type	= ARG_ANYTHING,
< };
< 
1552,1553d1535
< 	case BPF_FUNC_override_args:
< 		return &bpf_override_args_proto;
  • First, we have to add the functionality to change the pt_regs structure at an arbitrary offset; this is done between lines 1 and 27 in /arch/x86/include/asm/ptrace.h.
  • Secondly, we have to add the declaration of the eBPF helper function; this is done at line 30 in the /include/uapi/linux/bpf.h file.
  • Thirdly, we have to add the eBPF helper function definition; this is done between lines 32 and 49 in the /kernel/trace/bpf_trace.c file.
  • Lastly, the eBPF verifier must be made aware of the new eBPF helper function; this is done between lines 50 to 52, in the same file as the one in the previous step

I may not have followed the customary changes such a patch would entail, but this is a working patch that can be used to toy with.

As mentioned, besides the kernel, we have to patch the BCC compiler as well, in order to make it aware of the new eBPF helper function. The eBPF helper function must be simply declared in: src/cc/compat/linux/virtual_bpf.h, src/cc/export/helpers.h, src/cc/libbpf/src/include/uapi/linux/bpf.h, and src/cc/libbpf/src/bpf_helper_defs.h.

As a closing note: this new BPF helper function could open up new possibilities for dynamic system call manipulation, which in my opinion could be a very interesting feature to grow in BPF.