-
Notifications
You must be signed in to change notification settings - Fork 169
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(modern_ebpf): address verifier issues on kernel versions >=6.11.4
#2150
Conversation
With this new approach the tail calls are only visible inside the sched_proc_exec file. Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
Please double check driver/SCHEMA_VERSION file. See versioning. /hold |
>=6.11.4
@falcosecurity/libs-maintainers this should fix the second issue here falcosecurity/falco#3323 |
Perf diff from master - unit tests
Heap diff from master - unit tests
Heap diff from master - scap file
Benchmarks diff from master
|
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #2150 +/- ##
==========================================
- Coverage 74.69% 74.67% -0.03%
==========================================
Files 254 254
Lines 33502 33513 +11
Branches 5746 5729 -17
==========================================
+ Hits 25025 25026 +1
+ Misses 8477 8456 -21
- Partials 0 31 +31
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
X64 kernel testing matrix
ARM64 kernel testing matrix
|
The unique real failure here is this:
But this is failing on the legacy ebpf probably as a consequence of putting |
Since @Andreagit97 do you agree? |
Signed-off-by: Andrea Terzolo <andreaterzolo3@gmail.com>
Without sched_switch and a sampling ratio so high (128) it was possible that in 50000 events there was no a |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just tested the fix in a affected system and the verifier is now happy again, thanks for putting this together @Andreagit97.
There is a segfault on one of the tests that worries me a bit, so I'm holding off on approving until that is addressed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
LGTM label has been added. Git tree hash: e4f7b91cb93ebdb404a911da38adcb8a3480718d
|
@Molter73 if you mean this one
This is not related to this PR, all PRs on libs are failing on this since the switch to GitHub arm64 runners |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Andreagit97, Molter73 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/merge |
/milestone 0.18.2 |
A recent BPF verifier vulnerability made some fixes to the modern BPF probe necessary. See: falcosecurity/libs#2150 Signed-off-by: Holger Hoffstätte <holger@applied-asynchrony.com>
A recent BPF verifier vulnerability made some fixes to the modern BPF probe necessary. See: falcosecurity/libs#2150
A recent BPF verifier vulnerability made some fixes to the modern BPF probe necessary. See: falcosecurity/libs#2150 Signed-off-by: Holger Hoffstätte <holger@applied-asynchrony.com>
A recent BPF verifier vulnerability made some fixes to the modern BPF probe necessary. See: falcosecurity/libs#2150 Signed-off-by: Holger Hoffstätte <holger@applied-asynchrony.com> Signed-off-by: Sam James <sam@gentoo.org>
What type of PR is this?
/kind bug
Any specific area of the project related to this PR?
/area driver-modern-bpf
Does this PR require a change in the driver versions?
No
What this PR does / why we need it:
There are many changes but they are almost all renames, review it commit by commit.
This PR addresses a kernel-breaking change in the tail call ebpf API merged into the 6.11.4.
The reason behind the change is a CVE https://access.redhat.com/security/cve/cve-2024-50063
The commit that introduces the breaking change is https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=5d5e3b4cbe8ee16b7bf96fd73a421c92a9da3ca1
The fix on our side is pretty simple in the end, we avoid tail calls were possible and if not possible we use a dedicated tail call. Before this patch, we had a unique tail table for all the progs since it was possible to have a single tail table even if the attached function prototype was different.
Let's go commit by commit
UF_ALWAYS_DROP
Which issue(s) this PR fixes:
Special notes for your reviewer:
The verifier error corresponding to this issue was
Does this PR introduce a user-facing change?: