fix(ebpf): fix incorrect tracking of thread stacks

The thread stack area was extracted by finding the VMA containing the SP of the new thread, but because the SP might be just past the end of its allocated VMA (top of the stack), sometimes the correct VMA was not found.
aquasecurity · Jan 22, 2025 · e113f04 · e113f04
1 parent 882f143
commit e113f04
Showing 1 changed file with 5 additions and 2 deletions.
diff --git a/pkg/ebpf/c/tracee.bpf.c b/pkg/ebpf/c/tracee.bpf.c
@@ -586,8 +586,11 @@ statfunc void update_thread_stack(void *ctx, task_info_t *task_info, struct task
     #error Unsupported architecture
 #endif
 
-    // Find VMA which contains the SP
-    struct vm_area_struct *vma = find_vma(ctx, task, thread_sp);
+    // Find VMA which contains the SP.
+    // We subtract 1 fromt the SP because it may be just past the end of the VMA (top of the stack).
+    // For example: stack VMA mapped at 0x1000 with size 0x1000,
+    // SP is set to 0x2000 (which is not part of the VMA whose address range is 0x1000-0x1fff).
+    struct vm_area_struct *vma = find_vma(ctx, task, thread_sp - 1);
     if (unlikely(vma == NULL))
         return;