fix(bpf): fix a verifier issue on debian10(4.19.0-25-amd64)

The verifier issue is: 2446: (07) r3 += 16 2447: (bf) r1 = r10 2448: (07) r1 += -40 2449: (b7) r2 = 8 2450: (85) call bpf_probe_read#4 2451: (79) r3 = *(u64 *)(r10 -32) BPF program is too large. Processed 131073 insn -- END PROG LOAD LOG -- terminate called after throwing an instance of 'scap_open_exception' what(): libscap: bpf_load_program() event=raw_tracepoint/filler/open_by_handle_at_x_extra_tail_1: Operation not permitted Signed-off-by: Andrea Terzolo <[email protected]>
falcosecurity · Oct 24, 2023 · 7c107dc · 7c107dc
1 parent 5c9b3cd
commit 7c107dc
Showing 1 changed file with 23 additions and 13 deletions.
diff --git a/driver/bpf/fillers.h b/driver/bpf/fillers.h
@@ -3317,26 +3317,36 @@ FILLER(sys_open_by_handle_at_x, true)
 	res = bpf_val_to_ring(data, flags);
 	CHECK_RES(res);
 
-	bpf_tail_call(data->ctx, &tail_map, PPM_FILLER_open_by_handle_at_x_extra_tail_1);
-	bpf_printk("Can't tail call 'open_by_handle_at_x_extra_tail_1' filler\n");
-	return PPM_FAILURE_BUG;	
+	if(retval > 0)
+	{
+		bpf_tail_call(data->ctx, &tail_map, PPM_FILLER_open_by_handle_at_x_extra_tail_1);
+		bpf_printk("Can't tail call 'open_by_handle_at_x_extra_tail_1' filler\n");
+		return PPM_FAILURE_BUG;
+	}
+
+	/* Parameter 4: path (type: PT_FSPATH) */
+	return bpf_push_empty_param(data);
 }
 
 FILLER(open_by_handle_at_x_extra_tail_1, true)
 {
 	long retval = bpf_syscall_get_retval(data->ctx);
-
-	/* Parameter 4: path (type: PT_FSPATH) */
-	if(retval > 0)
+	struct file *f = bpf_fget(retval);
+	if(f == NULL)
 	{
-		struct file *f = bpf_fget(retval);
-		if(f != NULL)
-		{
-			char* filepath = bpf_d_path_approx(data, &(f->f_path));
-			return bpf_val_to_ring_mem(data,(unsigned long)filepath, KERNEL);
-		}
+		/* In theory here we should send an empty param but we are experimenting some issues
+		 * with the verifier on debian10 (4.19.0-25-amd64). Sending an empty param exceeds
+		 * the complexity limit of the verifier for this reason we simply return an error code.
+		 * Returning an error code means that we drop the entire event, but please note that this should
+		 * never happen since we previosuly check `retval > 0`. The kernel should always have an entry for
+		 * this fd in the fd table.
+		 */
+		return PPM_FAILURE_BUG;
 	}
-	return bpf_push_empty_param(data);
+
+	/* Parameter 4: path (type: PT_FSPATH) */
+	char* filepath = bpf_d_path_approx(data, &(f->f_path));
+	return bpf_val_to_ring_mem(data,(unsigned long)filepath, KERNEL);
 }
 
 FILLER(sys_io_uring_setup_x, true)