From ee68207b7555d85ccc826b0c27c9e517d234d161 Mon Sep 17 00:00:00 2001
From: Andrei Fedotov <anfedotoff@yandex-team.ru>
Date: Tue, 23 Jul 2024 14:20:00 +0300
Subject: [PATCH] bpf: Fix Prefix operator for matchBinaries

If path larger than 256 bytes need to copy prefix from args.

Signed-off-by: Andrei Fedotov <anfedotoff@yandex-team.ru>
---
 bpf/process/bpf_execve_event.c | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/bpf/process/bpf_execve_event.c b/bpf/process/bpf_execve_event.c
index a2484ff0221..b4f90cdc477 100644
--- a/bpf/process/bpf_execve_event.c
+++ b/bpf/process/bpf_execve_event.c
@@ -268,8 +268,12 @@ execve_rate(void *ctx)
 __attribute__((section("tracepoint/1"), used)) int
 execve_send(void *ctx)
 {
+
 	struct msg_execve_event *event;
 	struct execve_map_value *curr;
+#ifdef __LARGE_BPF_PROG
+	struct execve_heap *heap;
+#endif
 	struct msg_process *p;
 	__u32 zero = 0;
 	uint64_t size;
@@ -329,10 +333,19 @@ execve_send(void *ctx)
 		memset(&curr->bin, 0, sizeof(curr->bin));
 #ifdef __LARGE_BPF_PROG
 		// read from proc exe stored at execve time
-		if (event->exe.len <= BINARY_PATH_MAX_LEN) {
+		if (event->exe.len <= BINARY_PATH_MAX_LEN && !event->exe.error) {
 			curr->bin.path_length = probe_read(curr->bin.path, event->exe.len, event->exe.off);
 			if (curr->bin.path_length == 0)
 				curr->bin.path_length = event->exe.len;
+		} else {
+			heap = map_lookup_elem(&execve_heap, &zero);
+			if (heap) {
+				curr->bin.path_length = probe_read_str(curr->bin.path, BINARY_PATH_MAX_LEN, &heap->maxpath);
+				if (curr->bin.path_length > 1) {
+					// don't include the NULL byte in the length
+					curr->bin.path_length--;
+				}
+			}
 		}
 #else
 		// reuse p->args first string that contains the filename, this can't be