search

aya-rs / aya

Aya is an eBPF library for the Rust programming language, built with a focus on developer experience and operability.
https://aya-rs.dev/book/
Apache License 2.0
3.25k stars 291 forks source link

Error: error parsing BPF object #903

Open Hugo96870 opened 8 months ago

Hugo96870 commented 8 months ago

Hey!

I'm trying to run an eBPF program, but i keep getting this error:

Error: error parsing BPF object
Caused by:

    0: error parsing ELF data

    1: Could not read file magic

Rust program:

use aya::programs::TracePoint;
use anyhow::Result;

fn main() -> Result<()> {
    /*let mut bpf = Bpf::load_file("./write_trace.bpf.o")?;
    println!("a");
    // Ensure the section name matches exactly what's in the object file
    let btf = Btf::from_sys_fs()?;
    let program: &mut BtfTracePoint = bpf.program_mut("trace_write_callback").unwrap().try_into()?;
    println!("a");
    program.load("trace_write_callback", &btf)?;
    println!("a");
    program.attach()?;
    */
    let mut bpf = aya::Bpf::load(&[])?;
    println!("a");
    let prog: &mut TracePoint = bpf.program_mut("trace_write_callback").unwrap().try_into()?;
    println!("a");
    prog.load()?;
    println!("a");
    prog.attach("syscalls", "sys_enter_write")?;

    println!("Program attached successfully.");
    Ok(())
}

The commented code was my initial approach that also does not work, The code is done following one of your examples

eBPF program

#include "./vmlinux.h"
#include "bpf/bpf_helpers.h"

struct write_event {
    u32 pid;
    ssize_t bytes_written; 
};

struct {
    __uint(type, BPF_MAP_TYPE_RINGBUF);
    __uint(max_entries, 1 << 16);
} events SEC(".maps");

SEC("tracepoint/syscalls/sys_enter_write")
int trace_write_callback(struct trace_event_raw_sys_enter *ctx) {
    struct write_event event = {};
    u32 pid = bpf_get_current_pid_tgid() >> 32;

    if(pid != 43392){
        return 0;
    }

    bpf_probe_read_user(&event.bytes_written, sizeof(event.bytes_written), (void *)ctx->args[2]);

    if (event.bytes_written > 0) {
        event.pid = pid;
        // Output the event to the ring buffer
        //bpf_ringbuf_output(&events, &event, sizeof(event), 0);
    }

    return 0;
}

char _license[] SEC("license") = "GPL";

The error pops when I run the command cargo run Thanks!

alessandrod commented 8 months ago

This most likely means that write_trace.bpf.o is invalid. How are you compiling the ebpf code?

Hugo96870 commented 8 months ago

This most likely means that write_trace.bpf.o is invalid. How are you compiling the ebpf code?

The command I'm using is clang -O2 -target bpf -g -c write_trace.bpf.c -o write_trace.bpf.o inside the folder with the cargo.toml file

image

Hugo96870 commented 8 months ago

This most likely means that write_trace.bpf.o is invalid. How are you compiling the ebpf code?

The command I'm using is clang -O2 -target bpf -g -c write_trace.bpf.c -o write_trace.bpf.o inside the folder with the cargo.toml file

With the approach of loading the object like: let mut bpf = Bpf::load_file("./write_trace.bpf.o")?; The following error pops up:

cargo run
    Finished dev [unoptimized + debuginfo] target(s) in 0.09s
     Running /home/hugo/Desktop/aya/target/debug/trace_write
a
thread 'main' panicked at trace_write/src/main.rs:18:73:
called Option::unwrap() on a None value
note: run with RUST_BACKTRACE=1 environment variable to display a backtrace
Aborted (core dumped)

Seems like what gets to the unwrap is undefined(/empty), but I don't know why