search

aya-rs / aya

Aya is an eBPF library for the Rust programming language, built with a focus on developer experience and operability.
https://aya-rs.dev/book/
Apache License 2.0
3.19k stars 285 forks source link

BPF verify failed with "Permission denied (os error 13)" #863

Closed driftli closed 9 months ago

driftli commented 9 months ago

I want to hook readline function for /usr/bin/bash with uretprobe. There are two copies of the code. The first one ran normally, here is:

fn try_test(ctx: ProbeContext) -> Result<c_long, c_long> {
    info!(&ctx, "running into monitor function");
    let pid = ctx.pid();
    let ret_ptr: *const u8 = ctx.ret().unwrap();

    let mut limit_buf = [0u8; 16];
    let cmd = unsafe {
        bpf_probe_read_user_buf(ret_ptr, &mut limit_buf)?;
        core::str::from_utf8_unchecked(&limit_buf)
    };

    info!(&ctx, "/usr/bin/bash pid: {}, cmd: {}", pid, cmd);
    Ok(0)
}

The next one failed to start, which took me a long time to figure out and still failed.

#[repr(C)]
pub struct Buf {
    pub buf: [u8; 64],
}

#[map]
pub static mut BUF: PerCpuArray<Buf> = PerCpuArray::with_max_entries(1, 0);

fn try_test(ctx: ProbeContext) -> Result<c_long, c_long> {
    info!(&ctx, "running into monitor function");
    let pid = ctx.pid();
    let ret_ptr: *const u8 = ctx.ret().unwrap();

    let buf = unsafe {
        let ptr = BUF.get_ptr_mut(0).ok_or(0)?;
        &mut *ptr
    };
    let cmd = unsafe {
        core::str::from_utf8_unchecked(bpf_probe_read_user_str_bytes(ret_ptr, &mut buf.buf)?)
    };

    info!(&ctx, "/usr/bin/bash pid: {}, cmd: {}", pid, cmd);
    Ok(0)
}

And here is the error message:

Error: the BPF_PROG_LOAD syscall failed. Verifier output: 0: (bf) r6 = r1

......(skiped)

302: (85) call bpf_perf_event_output#25
R5 min value is negative, either use unsigned or 'var &= const'
verification time 1899 usec
stack depth 24+0+0+0
processed 351 insns (limit 1000000) max_states_per_insn 1 total_states 14 peak_states 14 mark_read 13

Caused by:
    Permission denied (os error 13)
Failed to run `sudo -E target/debug/test`

Can someone help point out my mistake?

emanuele-em commented 9 months ago

try to remove let pid = ctx.pid(); and check if the problem persists. I have a problem with pid() but inside tccontext

driftli commented 9 months ago

try to remove let pid = ctx.pid(); and check if the problem persists. I have a problem with pid() but inside tccontext

Thanks for reply. I just tried remove let pid = ctx.pid() and still have the problem.

driftli commented 9 months ago

I guess problem is on ebpf program compilation, maybe a compatibility issue. Because after I changed the kernel version to 5.14.0-148.el9.x86_64 and it can run normally. (PS: Original kernel version is 5.4.143).

There is another problem I have found on kernel 3.10.0-1160.102.1.e17.x86_64, error msg "error relocating function", but when I use SystemTap to do the same task and it passed. Just report it. Similar issue: here.

emanuele-em commented 9 months ago

There is another problem I have found on kernel 3.10.0-1160.102.1.e17.x86_64, error msg "error relocating function", but when I use SystemTap to do the same task and it passed. Just report it. Similar issue: https://github.com/aya-rs/aya/issues/831.

Ok, as far as I know ebpf is avalaible from kernel v4.1 and fully avalaible on from kernel v4.4

https://docs.lacework.net/onboarding/ebpf-support https://www.kernel.org/doc/html/latest/bpf/index.html https://www.tigera.io/learn/guides/ebpf/