cilium/ebpf came across a problem with ```PT_REGS_PARM3_CORE``` and ```PT_REGS_PARM3``` function

Question

I have been learning eBPF recently. However, I came across a problem that I cannot solve.

I was trying to gather system calls using "raw_tracepoint/sys_enter. i use PT_REGS_PARM3_CORE and PT_REGS_PARM3 get fchmodat params.

PT_REGS_PARM3_CORE

//go:build ignore

// #include "vmlinux.h"
#include "common.h"
#include "bpf_endian.h"
#include "bpf_tracing.h"

char __license[] SEC("license") = "Dual MIT/GPL";


struct bpf_raw_tracepoint_args {
    __u64 args[0];
};

#define TASK_COMM_LEN 16
#define TARGET_NAME "cron"
typedef unsigned long size_t;


SEC("raw_tracepoint/sys_enter")
int raw_tracepoint__sys_enter(struct bpf_raw_tracepoint_args *ctx)
{
    unsigned long syscall_id = ctx->args[1];
    bpf_printk("syscall_id:%d", syscall_id);
    if(syscall_id != 268)
        return 0;

    struct pt_regs *regs;
    regs = (struct pt_regs *) ctx->args[0];

    u32 mode;

    mode = (u32) PT_REGS_PARM3_CORE(regs);
    
    char fmt[] = "fchmodat %d\n";
    if (!mode) {
        return 0;
    }
    bpf_trace_printk(fmt, sizeof(fmt), mode);

    return 0;
}

When I go generate, I get following error:

/root/go/src/github.com/Kevin-sa/ebpf-fuzz/sys_enter/raw_sys_enter.c:34:18: error: use of undeclared identifier 'rsi'
../headers/bpf_tracing.h:131:50: note: expanded from macro 'PT_REGS_PARM2_CORE'
#define PT_REGS_PARM2_CORE(x) BPF_CORE_READ((x), rsi)

PT_REGS_PARM3

//go:build ignore

// #include "vmlinux.h"
#include "common.h"
#include "bpf_endian.h"
#include "bpf_tracing.h"

char __license[] SEC("license") = "Dual MIT/GPL";


struct bpf_raw_tracepoint_args {
    __u64 args[0];
};

#define TASK_COMM_LEN 16
#define TARGET_NAME "cron"
typedef unsigned long size_t;


SEC("raw_tracepoint/sys_enter")
int raw_tracepoint__sys_enter(struct bpf_raw_tracepoint_args *ctx)
{
    unsigned long syscall_id = ctx->args[1];
    bpf_printk("syscall_id:%d", syscall_id);
    if(syscall_id != 268)
        return 0;

    struct pt_regs *regs;
    regs = (struct pt_regs *) ctx->args[0];

    u32 mode;

    mode = (u32) PT_REGS_PARM3(regs);
    
    char fmt[] = "fchmodat %d\n";
    if (!mode) {
        return 0;
    }
    bpf_trace_printk(fmt, sizeof(fmt), mode);

    return 0;
}

when i run,I get following error:

2023/11/29 10:47:53 loading objects: field RawTracepointSysEnter: program raw_tracepoint__sys_enter: load program: permission denied: 9: (79) r3 = *(u64 *)(r1 +96): R1 invalid mem access 'scalar' (16 line(s) omitted)

I have been googling and searching the web for a long time, however was not able to find solutions for this. It would be very helpful for me if anybody might take a time off to save me...

Also, my kernel version is Linux 5.15.0-88-generic and arch is x86_64 for your information.

Thanks!

I have been googling and searching the web for a long time, however was not able to find solutions for this.

Answer 1

Here is a working example for raw_tracepoint/sys_enter using cilium/ebpf (including all necessary files): https://github.com/mozillazg/hello-libbpfgo/tree/develop/12-raw-tracepoint-args/cilium-ebpf

For PT_REGS_PARM3_CORE: The header file is missing some defines. You can try using header files from libbpf, similar to the example project.

For PT_REGS_PARM3: We need the full verifier error message for debugging. You can get the full verifier error log via:

var ve *VerifierError
if errors.As(err, &ve) {
    // Using %+v will print the whole verifier error, not just the last
    // few lines.
    fmt.Printf("Verifier error: %+v\n", ve)
}