New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(driver): fix bpf probe verifier on linux 5.14 and llvm 12.0.1 #81
Conversation
…parse_readv_writev_bufs() on recent kernel and llvm (linux 5.14.2 and llvm 12.0.1). Signed-off-by: Federico Di Pierro <nierro92@gmail.com> Co-authored-by: Jason Dellaluce <jasondellaluce@gmail.com>
Hi @FedeDP. Thanks for your PR. I'm waiting for a falcosecurity member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Does it finally fix this issue? #58 It's been around for a while! |
In my case, it fixed the issue. |
/ok-to-test |
Signed-off-by: Federico Di Pierro <nierro92@gmail.com> Co-authored-by: Michele Zuccala <michele@zuccala.com>
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
a41d9a8
to
0761f46
Compare
Sorry, i had to force push because we missed a Signed-off in the commit suggested by @zuc and committed via github. |
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just found two unneeded whitespaces (see suggestions below), otherwise looks awesome 🤩
I reserve some time to test it before the definitive approval.
Thank you!
Signed-off-by: Federico Di Pierro <nierro92@gmail.com> Co-authored-by: Leonardo Grasso <me@leonardograsso.com> Co-authored-by: Leonardo Grasso <me@leonardograsso.com>
Signed-off-by: Jason Dellaluce <jasondellaluce@gmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM 🥳
Btw, many thanks for the detailed explanation, and congrats: these fixes are excellent! 👏
/approve
LGTM label has been added. Git tree hash: 336f3b3282f27ca9335d1a6c6190881c358f1a16
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: FedeDP, leogr The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
What type of PR is this?
/kind bug
Any specific area of the project related to this PR?
/area driver-ebpf
What this PR does / why we need it:
So far, the eBPF probe needs to be compiled with clang 7. Although newer versions of clang can successfully compile the probe, it then gets rejected by the kernel verifier. This has been an open issue for a while.
This PR applies a small set of fixes that allow our eBPF probe to be accepted by the kernel verifier even when compiled with recent versions of clang.
So far, we tested this on various versions of the linux kernel and of clang.
These are the results of our test grid, which we ran on amd64 architecture:
Additional context
At a high level, the kernel verifier rejects the eBPF for three main reasons:
off
variable is required because it is used to access memory insidedata->buf[off & ...]
. We solved the error by checking the value ofoff
at the beginning of the loop.&buf[off & SCRATCH_SIZE_HALF]
, visible here, is often rejected if compiled with newest clang versions. This is due to an optimization applied during the compilation. If a check such asif (off > SCRATCH_SIZE_HALF) /* fail /*
appears before a memory access such as&buf[off & SCRATCH_SIZE_HALF]
, the compiler avoids performing the& SCRATCH_SIZE_HALF
operation by assuming that the value ofoff
is already bounded because it is checked inside the if statement. However, the compiled eBPF bytecode gets then rejected by the kernel verifier because it has no way to predict the value ofoff
when accessing the memory buffer. We fixed this by storing the result ofoff & SCRATCH_SIZE_HALF
in an additional variable, so that the compiler is forced to perform the bitwise bounding operation.bpf_probe_read
, accept asize
argument that is defined as asigned integer
. However, in multiple instances (such as here) we passunsigned long
variables assize
arguments. We assume the safety of this operation by checking that the value does not go beyond a certain threshold, or by bouding its value through a bitwise and operation, but this is not sufficient. The kernel verifier recognizes an attempt of converting anu64
to as32
, and predicts the possibility of the value to become negative due to the potential bit overflow. We solved this problem by defining the passed value asu16
, which was quite sufficient to cover our use cases (our max value fits in 16 bits comfortably).Which issue(s) this PR fixes:
Fixes #58
Special notes for your reviewer:
Does this PR introduce a user-facing change?: