From 39bed6bd1b94f509590738d95b343f6994045cdf Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Mon, 2 Oct 2023 09:34:03 +0900
Subject: [PATCH] bpf: Do not attempt to read blob_data if the length is 0

Signed-off-by: Daiki Ueno <dueno@redhat.com>
---
 agent/src/bpf/audit.bpf.c | 38 ++++++++++++++++++++++++++++----------
 1 file changed, 28 insertions(+), 10 deletions(-)

diff --git a/agent/src/bpf/audit.bpf.c b/agent/src/bpf/audit.bpf.c
index 5790ed2..a0e568e 100644
--- a/agent/src/bpf/audit.bpf.c
+++ b/agent/src/bpf/audit.bpf.c
@@ -160,11 +160,18 @@ record_string_data (struct pt_regs *ctx, long context, const char *key_ptr,
 }
 
 static __always_inline int
-record_blob_data (struct pt_regs *ctx, long context, const char *key_ptr,
-		  void *value_ptr, size_t value_size)
+record_blob_data (struct pt_regs *ctx, long context, const char *key_ptr)
 {
   int err;
 
+  long value_size;
+  err = bpf_usdt_arg (ctx, 3, &value_size);
+  if (err < 0)
+    {
+      DEBUG ("unable to determine value size: %ld\n", err);
+      return err;
+    }
+
   struct audit_blob_data_event_st *event =
     bpf_ringbuf_reserve (&ringbuf,
 			 sizeof(struct audit_blob_data_event_st),
@@ -188,12 +195,24 @@ record_blob_data (struct pt_regs *ctx, long context, const char *key_ptr,
       goto error;
     }
 
-  value_size &= (VALUE_SIZE - 1);
-  err = bpf_probe_read_user (event->value, value_size, (void *)value_ptr);
-  if (err < 0)
+  if (value_size > 0)
     {
-      DEBUG ("unable to read event data: %ld\n", err);
-      goto error;
+      long value_ptr;
+
+      err = bpf_usdt_arg (ctx, 2, &value_ptr);
+      if (err < 0)
+	{
+	  DEBUG ("unable to read value: %ld\n", err);
+	  goto error;
+	}
+
+      value_size &= (VALUE_SIZE - 1);
+      err = bpf_probe_read_user (event->value, value_size, (void *)value_ptr);
+      if (err < 0)
+	{
+	  DEBUG ("unable to read event data: %ld\n", err);
+	  goto error;
+	}
     }
 
   event->size = value_size;
@@ -230,10 +249,9 @@ BPF_USDT(string_data, long context, const char *key_ptr,
 
 SEC("usdt")
 int
-BPF_USDT(blob_data, long context, const char *key_ptr,
-	 void *value_ptr, size_t value_size)
+BPF_USDT(blob_data, long context, const char *key_ptr)
 {
-  return record_blob_data(ctx, context, key_ptr, value_ptr, value_size);
+  return record_blob_data(ctx, context, key_ptr);
 }
 
 char LICENSE[] SEC("license") = "GPL";