From 7c107dc6f6c09aae1eae209e291420a4ed10979e Mon Sep 17 00:00:00 2001
From: Andrea Terzolo <andreaterzolo3@gmail.com>
Date: Tue, 24 Oct 2023 12:58:00 +0200
Subject: [PATCH] fix(bpf): fix a verifier issue on debian10(4.19.0-25-amd64)

The verifier issue is:

2446: (07) r3 += 16
2447: (bf) r1 = r10
2448: (07) r1 += -40
2449: (b7) r2 = 8
2450: (85) call bpf_probe_read#4
2451: (79) r3 = *(u64 *)(r10 -32)
BPF program is too large. Processed 131073 insn

-- END PROG LOAD LOG --
terminate called after throwing an instance of 'scap_open_exception'
  what():  libscap: bpf_load_program() event=raw_tracepoint/filler/open_by_handle_at_x_extra_tail_1: Operation not permitted

Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
---
 driver/bpf/fillers.h | 36 +++++++++++++++++++++++-------------
 1 file changed, 23 insertions(+), 13 deletions(-)

diff --git a/driver/bpf/fillers.h b/driver/bpf/fillers.h
index 0e91be7e6b..2feae7a29b 100644
--- a/driver/bpf/fillers.h
+++ b/driver/bpf/fillers.h
@@ -3317,26 +3317,36 @@ FILLER(sys_open_by_handle_at_x, true)
 	res = bpf_val_to_ring(data, flags);
 	CHECK_RES(res);
 	
-	bpf_tail_call(data->ctx, &tail_map, PPM_FILLER_open_by_handle_at_x_extra_tail_1);
-	bpf_printk("Can't tail call 'open_by_handle_at_x_extra_tail_1' filler\n");
-	return PPM_FAILURE_BUG;	
+	if(retval > 0)
+	{
+		bpf_tail_call(data->ctx, &tail_map, PPM_FILLER_open_by_handle_at_x_extra_tail_1);
+		bpf_printk("Can't tail call 'open_by_handle_at_x_extra_tail_1' filler\n");
+		return PPM_FAILURE_BUG;
+	}
+
+	/* Parameter 4: path (type: PT_FSPATH) */
+	return bpf_push_empty_param(data);
 }
 
 FILLER(open_by_handle_at_x_extra_tail_1, true)
 {
 	long retval = bpf_syscall_get_retval(data->ctx);
-
-	/* Parameter 4: path (type: PT_FSPATH) */
-	if(retval > 0)
+	struct file *f = bpf_fget(retval);
+	if(f == NULL)
 	{
-		struct file *f = bpf_fget(retval);
-		if(f != NULL)
-		{
-			char* filepath = bpf_d_path_approx(data, &(f->f_path));
-			return bpf_val_to_ring_mem(data,(unsigned long)filepath, KERNEL);
-		}
+		/* In theory here we should send an empty param but we are experimenting some issues
+		 * with the verifier on debian10 (4.19.0-25-amd64). Sending an empty param exceeds
+		 * the complexity limit of the verifier for this reason we simply return an error code.
+		 * Returning an error code means that we drop the entire event, but please note that this should
+		 * never happen since we previosuly check `retval > 0`. The kernel should always have an entry for
+		 * this fd in the fd table.
+		 */
+		return PPM_FAILURE_BUG;
 	}
-	return bpf_push_empty_param(data);
+	
+	/* Parameter 4: path (type: PT_FSPATH) */
+	char* filepath = bpf_d_path_approx(data, &(f->f_path));
+	return bpf_val_to_ring_mem(data,(unsigned long)filepath, KERNEL);
 }
 
 FILLER(sys_io_uring_setup_x, true)