gotls: hook dockerd fail

Question

gotls: hook dockerd fail

Closed this issue 3 months ago · 1 comments

Describe the bug
在arm64环境下，命令sudo ./bin/ecapture gotls --elfpath=/usr/bin/dockerd --hex失败

To Reproduce

ecapture git:(master) sudo ./bin/ecapture gotls --elfpath=/usr/bin/dockerd --hex
tls_2024/03/05 16:36:12 ECAPTURE :: ecapture Version : linux_aarch64:-20240303-bfb4a8c:[CORE]
tls_2024/03/05 16:36:12 ECAPTURE :: Pid Info : 365806
tls_2024/03/05 16:36:12 ECAPTURE :: Kernel Info : 5.15.136
tls_2024/03/05 16:36:12 EBPFProbeGoTLS  module initialization failed. [skip it]. error:no RET instructions found

Linux Server/Android (please complete the following information):

➜  ecapture git:(master) make env
---------------------------------------
eCapture Makefile Environment:
---------------------------------------
PARALLEL                 4
----------------[ from args ]---------------
CROSS_ARCH               
ANDROID                  0
DEBUG                    0
---------------------------------------
UNAME_M                  aarch64
UNAME_R                  5.15.0-97-generic
CLANG_VERSION            14
GO_VERSION               1.21
---------------------------------------
CMD_CLANG                clang
CMD_GIT                  git
CMD_GO                   go
CMD_INSTALL              install
CMD_LLC                  llc
CMD_MD5                  md5sum
CMD_PKGCONFIG            pkg-config
CMD_STRIP                llvm-strip
---------------------------------------
VERSION                  -20240303-bfb4a8c
LAST_GIT_TAG             -20240303-bfb4a8c
BPF_NOCORE_TAG           5_15_0-97-generic.-20240303-bfb4a8c
CROSS_COMPILE            
KERN_RELEASE             5.15.0-97-generic
KERN_BUILD_PATH          /lib/modules/5.15.0-97-generic/build
KERN_SRC_PATH            /lib/modules/5.15.0-97-generic/build
TARGET_ARCH              aarch64
GOARCH                   arm64
LINUX_ARCH               arm64
LIBPCAP_ARCH             aarch64-unknown-linux-gnu
AUTOGENCMD               ls -al kern/bpf/arm64/vmlinux.h
---------------------------------------
rpmdev-setuptree         rpmdev-setuptree
tar                      tar
rpmbuild                 rpmbuild
---------------------------------------

Analysis

原因是arm64asm.Decode()方法在遇到CASALAbout CASAL汇编指令时会返回error，导致无法获取到RET指令的offset。

tables.go - Go (opensource.google)中无CASAL，暂不知道是否属于x/arch - Go (opensource.google) 库的问题。

解决方法是忽略arm64asm.Decode()的错误返回值，但我无法确定这样是否会导致其他问题。

（ps. 原谅我英语实在不好，无法用英文描述想要表达的意思:( ）

Answer 1 · 2024-03-06T03:07:56.000Z

更一般的，当go代码中存在CAS时，都会复现上面的问题。
demo: