Is it possible to use bpf_override_return in uprobes/uretprobes?

Question

I am trying to modify the behaviour of a userspace function during runtime using ebpf uprobes. bpf_override_return is used in kprobes to override the return value, is it possible to use it in uprobes/uretprobes?

Answer 1

uprobes share the BPF infrastructure of kprobes so yes, you should be able to call bpf_override_return from uprobe BPF programs. Note you'll need CONFIG_BPF_KPROBE_OVERRIDE in your kernel config.

---

The bcc project has a list of which helpers are allowed from which program types at https://github.com/iovisor/bcc/blob/master/docs/kernel-versions.md.

To check yourself which program type allow for a given helper, you can run the following on the kernel sources:

$ git grep -W "&bpf_override_return_proto"
kernel/trace/bpf_trace.c=kprobe_prog_func_proto(enum bpf_func_id func_id, const struct bpf_prog *prog)
kernel/trace/bpf_trace.c-{
kernel/trace/bpf_trace.c-       switch (func_id) {
kernel/trace/bpf_trace.c-       case BPF_FUNC_perf_event_output:
kernel/trace/bpf_trace.c-               return &bpf_perf_event_output_proto;
kernel/trace/bpf_trace.c-       case BPF_FUNC_get_stackid:
kernel/trace/bpf_trace.c-               return &bpf_get_stackid_proto;
kernel/trace/bpf_trace.c-       case BPF_FUNC_get_stack:
kernel/trace/bpf_trace.c-               return &bpf_get_stack_proto;
kernel/trace/bpf_trace.c-#ifdef CONFIG_BPF_KPROBE_OVERRIDE
kernel/trace/bpf_trace.c-       case BPF_FUNC_override_return:
kernel/trace/bpf_trace.c:               return &bpf_override_return_proto;
kernel/trace/bpf_trace.c-#endif

Here we see that bpf_override_return can be called from kprobe programs only.

Answer 2

There is another userspace eBPF runtime, https://github.com/eunomia-bpf/bpftime which can be compatible with kernel eBPF uprobe and supports override userspace functions and this helper. Maybe you can have a try?

See the examples in https://github.com/eunomia-bpf/bpftime/tree/master/example/error-inject (It's experimental, though)