In v0.7.6, the gotls module works exceptionally in pie mode on x64 platform.
sancppp opened this issue · comments
Describe the bug
In v0.7.6, the gotls module works exceptionally in pie mode on x64 platform.
In v0.7.5, gotls works fine with this example.
Linux Server/Android (please complete the following information):
- Env:
---------------------------------------
eCapture Makefile Environment:
---------------------------------------
PARALLEL 16
----------------[ from args ]---------------
CROSS_ARCH
ANDROID 0
DEBUG 0
---------------------------------------
UNAME_M x86_64
UNAME_R 6.5.0-26-generic
CLANG_VERSION 12
GO_VERSION 1.21
---------------------------------------
CMD_CLANG clang
CMD_GIT git
CMD_GO go
CMD_INSTALL install
CMD_LLC llc
CMD_MD5 md5sum
CMD_PKGCONFIG pkg-config
CMD_STRIP llvm-strip
---------------------------------------
VERSION 0.7.6-20240330-3486f5b
LAST_GIT_TAG 0.7.6-20240330-3486f5b
BPF_NOCORE_TAG 6_5_0-26-generic.0_7_6-20240330-3486f5b
CROSS_COMPILE
KERN_RELEASE 6.5.0-26-generic
KERN_BUILD_PATH /lib/modules/6.5.0-26-generic/build
KERN_SRC_PATH /lib/modules/6.5.0-26-generic/build
TARGET_ARCH x86_64
GOARCH amd64
LINUX_ARCH x86
LIBPCAP_ARCH x86_64-unknown-linux-gnu
AUTOGENCMD test -f kern/bpf/x86/vmlinux.h || bpftool btf dump file /sys/kernel/btf/vmlinux format c > kern/bpf/x86/vmlinux.h
---------------------------------------
rpmdev-setuptree rpmdev-setuptree
tar tar
rpmbuild rpmbuild
---------------------------------------
- OS: Ubuntu 22.04
- Arch: x86_64
- Kernel Version: 6.5.0
- Version: 0.7.6
Additional context
Add any other context about the problem here.
I did a simple test of v0.7.6 and PR#516 in an x64 Ubuntu 22.04 environment.
The test was to execute the command sudo . /bin/ecapture gotls --elfpath=/usr/bin/dockerd --hex
while executing docker login
in another terminal.
The result shows that eCapture was able to correctly find the crypto/tls.(*Conn).Read symbol entry, but was unable to locate the RET command:
At the same time, docker login
returns a connect error:
I think the
connect error
issue probably has nothing to do with the hook position. The hook here is looking for theRET
instruction to hook, so it shouldn't affect network communication. There must be another reason, maybe it's just a sporadic network failure.
It looks like eCpture is indeed affecting docker's network communication.
Normally docker login should return Error response from daemon: Get "https://registry-1.docker.io/v2/": unauthorized: incorrect username or password
, however eCapture intervenes and returns an EOF error, while docker pull also returns an EOF error.
The test is relatively simple. I'm not sure if eCapture hooking other golang projects (buildmode=pie) would cause the same thing.