tetragon: Add additional returnCopy test

This test confirms that we don't confuse the meaning of index. Arguments
have a position (index) within the args section of a tracing policy
spec. The arg's position defined within the spec is not related to the
arg's position (index) within the function signature or tracepoint that
is being hooked.

We had a bug where we confused the meaning of index. Retprobes need to
overwrite a argument value that not available at function entry. We
locate the argument which needs to be overwritten by referencing its
position within the tracing policy spec. The bug happened because we
overwrote based on arg's position within the function signature.

As such, returnCopy only worked as expected when the user defined the
args in the tracing policy spec in the same order as they appear in the
function/tracepoint signature.

This returnCopy test is constructed such that the configured argument's
index within the spec does not correspond to the arguments position
within the function signature.

Signed-off-by: Andy Strohman <astrohma@isovalent.com>

Author: andrewstrohman

pkg/sensors/tracing/kprobe_test.go

@@ -555,6 +555,52 @@ spec:
 	runKprobeObjectRead(t, readHook, checker, fd, fd2)
 }
 
+func TestKprobeObjectReadIdxMismatch(t *testing.T) {
+	fd, fd2, fdString := createTestFile(t)
+	pidStr := strconv.Itoa(int(observertesthelper.GetMyPid()))
+	readHook := `
+apiVersion: cilium.io/v1alpha1
+kind: TracingPolicy
+metadata:
+  name: "sys-read"
+spec:
+  kprobes:
+  - call: "sys_read"
+    syscall: true
+    args:
+    - index: 1
+      type: "char_buf"
+      returnCopy: true
+    - index: 2
+      type: "size_t"
+    - index: 0
+      type: "int"
+    selectors:
+    - matchPIDs:
+      - operator: In
+        followForks: true
+        values:
+        - ` + pidStr + `
+      matchArgs:
+      - index: 0
+        operator: "Equal"
+        values:
+        - "` + fdString + `"`
+
+	kpChecker := ec.NewProcessKprobeChecker("").
+		WithFunctionName(sm.Full(arch.AddSyscallPrefixTestHelper(t, "sys_read"))).
+		WithArgs(ec.NewKprobeArgumentListMatcher().
+			WithOperator(lc.Ordered).
+			WithValues(
+				ec.NewKprobeArgumentChecker().WithBytesArg(bc.Full([]byte("hello world"))),
+				ec.NewKprobeArgumentChecker().WithSizeArg(100),
+				ec.NewKprobeArgumentChecker().WithIntArg(int32(fd2)),
+			))
+	checker := ec.NewUnorderedEventChecker(kpChecker)
+
+	runKprobeObjectRead(t, readHook, checker, fd, fd2)
+}
+
 func TestKprobeObjectReadReturn(t *testing.T) {
 	fd, fd2, fdString := createTestFile(t)
 	pidStr := strconv.Itoa(int(observertesthelper.GetMyPid()))