[Bug]: process-monitor module fails with BPF_PROD_LOAD on WSL2/5.15.68.1

[JuxhinDB]

Contact Details

No response

What happened?

Starting up Pulsar immediately results in the process-monitor module failing due to a BPF verifier error.

$ RUST_BACKTRACE=full cargo xtask pulsard
[2022-10-18T09:18:11Z ERROR pulsar::pulsard::module_manager] Module error in process-monitor: 
failed program load raw_tracepoint sched_process_exec

    Caused by:
        0: the BPF_PROG_LOAD syscall failed. Verifier output: func#0 @0
        ... TRUNCATED ...
        ; LOG_ERROR("can't get event memory");
        ... TRUNCATED ...
        1: Permission denied (os error 13)

Running on Debian on WSL2/5.15.x.

$ uname -a
Linux LAPTOP-IM56UP68 5.15.68.1-microsoft-standard-WSL2 #1 SMP Mon Sep 19 19:14:52 UTC 2022 x86_64 GNU/Linux

Running the test suite on the module hits the same issue with the following log output.

Relevant log output

$ sudo -E ./target/debug/test-suite process-monitor

running 8 tests
test process-monitor::fork_event               ... FAILED
test process-monitor::exec_event               ... FAILED
test process-monitor::exit_event               ... FAILED
test process-monitor::exit_event_no_thread     ... FAILED
test process-monitor::inherit_policy           ... FAILED
test process-monitor::exec_updates_interest    ... FAILED
test process-monitor::threads_are_ignored      ... ok
test process-monitor::exit_cleans_up_resources ... FAILED

failures:

---- process-monitor::fork_event ----
INFO:bpf_common::trace_pipe -- Logging events from /sys/kernel/debug/tracing/trace_pipe
❌ Panic: called `Result::unwrap()` on an `Err` value: running eBPF

Caused by:
    0: failed program load raw_tracepoint sched_process_exec
    1: the BPF_PROG_LOAD syscall failed. Verifier output: func#0 @0
   ... TRUNCATED ...
       from 221 to 292: safe
       104: R0=inv(id=0) R1_w=inv(id=0,umax_value=255,var_off=(0x0; 0xff)) R2_w=inv256 R4_w=inv(id=8) R6=inv(id=0) R7_w=inv(id=8) R8=map_value(id=0,off=0,ks=4,vs=536,imm=0) R9=map_value(id=0,off=0,ks=4,vs=536,imm=0) R10=fp0 fp-112=mmmmmmmm fp-120=inv fp-128=ctx fp-136=mmmmmmmm
       ; event->exec.data_len = len;
       104: (63) *(u32 *)(r8 +276) = r7
        R0=inv(id=0) R1_w=inv(id=0,umax_value=255,var_off=(0x0; 0xff)) R2_w=inv256 R4_w=inv(id=8) R6=inv(id=0) R7_w=inv(id=8) R8=map_value(id=0,off=0,ks=4,vs=536,imm=0) R9=map_value(id=0,off=0,ks=4,vs=536,imm=0) R10=fp0 fp-112=mmmmmmmm fp-120=inv fp-128=ctx fp-136=mmmmmmmm
       105: R0=inv(id=0) R1_w=inv(id=0,umax_value=255,var_off=(0x0; 0xff)) R2_w=inv256 R4_w=inv(id=8) R6=inv(id=0) R7_w=inv(id=8) R8=map_value(id=0,off=0,ks=4,vs=536,imm=0) R9=map_value(id=0,off=0,ks=4,vs=536,imm=0) R10=fp0 fp-112=mmmmmmmm fp-120=inv fp-128=ctx fp-136=mmmmmmmm
       ; bpf_core_read_user(event->exec.argv, len & (NAME_MAX - 1), (void *)start);
       105: (07) r9 += 280
       106: R0=inv(id=0) R1_w=inv(id=0,umax_value=255,var_off=(0x0; 0xff)) R2_w=inv256 R4_w=inv(id=8) R6=inv(id=0) R7_w=inv(id=8) R8=map_value(id=0,off=0,ks=4,vs=536,imm=0) R9_w=map_value(id=0,off=280,ks=4,vs=536,imm=0) R10=fp0 fp-112=mmmmmmmm fp-120=inv fp-128=ctx fp-136=mmmmmmmm
       106: (bf) r1 = r9
       107: R0=inv(id=0) R1_w=map_value(id=0,off=280,ks=4,vs=536,imm=0) R2_w=inv256 R4_w=inv(id=8) R6=inv(id=0) R7_w=inv(id=8) R8=map_value(id=0,off=0,ks=4,vs=536,imm=0) R9_w=map_value(id=0,off=280,ks=4,vs=536,imm=0) R10=fp0 fp-112=mmmmmmmm fp-120=inv fp-128=ctx fp-136=mmmmmmmm
       107: (bf) r2 = r7
       108: R0=inv(id=0) R1_w=map_value(id=0,off=280,ks=4,vs=536,imm=0) R2_w=inv(id=8) R4_w=inv(id=8) R6=inv(id=0) R7_w=inv(id=8) R8=map_value(id=0,off=0,ks=4,vs=536,imm=0) R9_w=map_value(id=0,off=280,ks=4,vs=536,imm=0) R10=fp0 fp-112=mmmmmmmm fp-120=inv fp-128=ctx fp-136=mmmmmmmm
       108: (bf) r3 = r6
       109: R0=inv(id=0) R1_w=map_value(id=0,off=280,ks=4,vs=536,imm=0) R2_w=inv(id=8) R3_w=inv(id=19) R4_w=inv(id=8) R6=inv(id=19) R7_w=inv(id=8) R8=map_value(id=0,off=0,ks=4,vs=536,imm=0) R9_w=map_value(id=0,off=280,ks=4,vs=536,imm=0) R10=fp0 fp-112=mmmmmmmm fp-120=inv fp-128=ctx fp-136=mmmmmmmm
       109: (85) call bpf_probe_read_user#112
       R2 min value is negative, either use unsigned or 'var &= const'
       verification time 2186 usec
       stack depth 136
       processed 345 insns (limit 1000000) max_states_per_insn 1 total_states 25 peak_states 25 mark_read 9

    2: Permission denied (os error 13)
  | at /home/juxhin/projects/pulsar/bpf-common/src/test_runner.rs:116:64

Code of Conduct

• I agree to follow this project's Code of Conduct

[banditopazzo]

Having a similar issue in slightly different context as mentioned in #102. Probably related to the version of Clang/LLVM used to build the probes. You should try upgrading Clang/LLVM to a newer version or build with cross after #101 is merged

[banditopazzo]

Closing as WSL2 uses a custom kernel and it's not supported