Failed to start eBPF object because of R5 unbounded memory access

[rulindw]

Same issue: #65

Got the same issue after 1.5.0 release on RHEL 9 (cant reopen the old one)

Failed to start eBPF object because of R5 unbounded memory access

journalctl output:

Feb 06 09:56:31 localhost.localdomain sysmon[114908]: 589: (bf) r2 = r3                     ; R2_w=map_value(map=temppathArray,ks=4,vs=8192) R3_w=map_value(map=temppathArray,ks=4,vs=8192)
Feb 06 09:56:31 localhost.localdomain sysmon[114908]: 590: (0f) r2 += r1                    ; R1_w=4094 R2_w=map_value(map=temppathArray,ks=4,vs=8192,off=4094)
Feb 06 09:56:31 localhost.localdomain sysmon[114908]: 591: (b4) w1 = 43                     ; R1_w=43
Feb 06 09:56:31 localhost.localdomain sysmon[114908]: 592: (73) *(u8 *)(r2 +0) = r1         ; R1_w=43 R2_w=map_value(map=temppathArray,ks=4,vs=8192,off=4094)
Feb 06 09:56:31 localhost.localdomain sysmon[114908]: 593: (05) goto pc+64
Feb 06 09:56:31 localhost.localdomain sysmon[114908]: ; temp[(PATH_MAX - size) & (PATH_MAX -1)] = '/'; @ sysinternalsEBPF_helpers.c:363
Feb 06 09:56:31 localhost.localdomain sysmon[114908]: 658: (79) r1 = *(u64 *)(r10 -72)      ; R1_w=map_value(map=eventStorageMap,ks=4,vs=65512,off=16511) R10=fp0 fp-72=map_value(map=eventStorageMap,ks=4,vs=65512,>
Feb 06 09:56:31 localhost.localdomain sysmon[114908]: ; dlen = bpf_probe_read_str(dest, PATH_MAX, &temp[(PATH_MAX - size) & (PATH_MAX -1)]); @ sysinternalsEBPF_helpers.c:388
Feb 06 09:56:31 localhost.localdomain sysmon[114908]: 659: (84) w5 = -w5                    ; R5_w=scalar()
Feb 06 09:56:31 localhost.localdomain sysmon[114908]: 660: (54) w5 &= 4095                  ; R5_w=scalar(smin=smin32=0,smax=umax=smax32=umax32=4095,var_off=(0x0; 0xfff))
Feb 06 09:56:31 localhost.localdomain sysmon[114908]: 661: (0f) r3 += r5                    ; R3_w=map_value(map=temppathArray,ks=4,vs=8192,smin=smin32=0,smax=umax=smax32=umax32=4095,var_off=(0x0; 0xfff)) R5_w=sc>
Feb 06 09:56:31 localhost.localdomain sysmon[114908]: 662: (b4) w2 = 4096                   ; R2_w=4096
Feb 06 09:56:31 localhost.localdomain sysmon[114908]: 663: (85) call bpf_probe_read_str#45          ; R0_w=scalar(smin=smin32=-4095,smax=smax32=4096)
Feb 06 09:56:31 localhost.localdomain sysmon[114908]: 664: (66) if w0 s> 0x0 goto pc+1      ; R0_w=scalar(smin=smin32=-4095,smax=4096,smax32=0)
Feb 06 09:56:31 localhost.localdomain sysmon[114908]: 665: (b4) w0 = 0                      ; R0=0
Feb 06 09:56:31 localhost.localdomain sysmon[114908]: 666: (7b) *(u64 *)(r10 -120) = r0     ; R0=0 R10=fp0 fp-120_w=0
Feb 06 09:56:31 localhost.localdomain sysmon[114908]: 667: (79) r9 = *(u64 *)(r10 -136)     ; R9_w=map_value(map=eventStorageMap,ks=4,vs=65512) R10=fp0 fp-136=map_value(map=eventStorageMap,ks=4,vs=65512)
Feb 06 09:56:31 localhost.localdomain sysmon[114908]: 668: (79) r7 = *(u64 *)(r10 -72)      ; R7_w=map_value(map=eventStorageMap,ks=4,vs=65512,off=16511) R10=fp0 fp-72=map_value(map=eventStorageMap,ks=4,vs=65512,>
Feb 06 09:56:31 localhost.localdomain sysmon[114908]: 669: (79) r8 = *(u64 *)(r10 -120)     ; R8_w=0 R10=fp0 fp-120_w=0
Feb 06 09:56:31 localhost.localdomain sysmon[114908]: ; event->m_Extensions[PC_CurrentDirectory] = extLen; @ sysmonProcCreate.c:76
Feb 06 09:56:31 localhost.localdomain sysmon[114908]: 670: (63) *(u32 *)(r9 +116) = r8      ; R8_w=0 R9_w=map_value(map=eventStorageMap,ks=4,vs=65512)
Feb 06 09:56:31 localhost.localdomain sysmon[114908]: ; extLen = copyPwdPath(ptr, task, config); @ sysmonProcCreate.c:75
Feb 06 09:56:31 localhost.localdomain sysmon[114908]: 671: (bc) w1 = w8                     ; R1_w=0 R8_w=0
Feb 06 09:56:31 localhost.localdomain sysmon[114908]: ; asm volatile("%[extLen] &= " XSTR(PATH_MAX - 1) "\n" @ sysmonProcCreate.c:77
Feb 06 09:56:31 localhost.localdomain sysmon[114908]: 672: (57) r1 &= 4095                  ; R1_w=0
Feb 06 09:56:31 localhost.localdomain sysmon[114908]: 673: (0f) r7 += r1                    ; R1_w=0 R7_w=map_value(map=eventStorageMap,ks=4,vs=65512,off=16511)
Feb 06 09:56:31 localhost.localdomain sysmon[114908]: ; if (ptr != NULL && ptr > eventHdr) { @ sysmonProcCreate_rawtp.c:61
Feb 06 09:56:31 localhost.localdomain sysmon[114908]: 674: (bd) if r7 <= r9 goto pc+57      ; R7_w=map_value(map=eventStorageMap,ks=4,vs=65512,off=16511) R9_w=map_value(map=eventStorageMap,ks=4,vs=65512)
Feb 06 09:56:31 localhost.localdomain sysmon[114908]: ; eventHdr->m_EventSize = (uint32_t)((void *)ptr - (void *)eventHdr); @ sysmonProcCreate_rawtp.c:62
Feb 06 09:56:31 localhost.localdomain sysmon[114908]: 675: (1f) r7 -= r9                    ; R7_w=scalar() R9_w=map_value(map=eventStorageMap,ks=4,vs=65512)
Feb 06 09:56:31 localhost.localdomain sysmon[114908]: ; eventOutput(ctx, &eventMap, BPF_F_CURRENT_CPU, eventHdr, size < LINUX_MAX_EVENT_SIZE ? size : 0); @ sysmonHelpers.c:124
Feb 06 09:56:31 localhost.localdomain sysmon[114908]: 676: (bf) r5 = r7                     ; R5_w=scalar(id=277) R7_w=scalar(id=277)
Feb 06 09:56:31 localhost.localdomain sysmon[114908]: 677: (67) r5 <<= 32                   ; R5_w=scalar(smax=0x7fffffff00000000,umax=0xffffffff00000000,smin32=0,smax32=umax32=0,var_off=(0x0; 0xffffffff00000000))
Feb 06 09:56:31 localhost.localdomain sysmon[114908]: 678: (77) r5 >>= 32                   ; R5_w=scalar(smin=0,smax=umax=0xffffffff,var_off=(0x0; 0xffffffff))
Feb 06 09:56:31 localhost.localdomain sysmon[114908]: 679: (a6) if w7 < 0xffe8 goto pc+1 681: R0=0 R1_w=0 R5_w=scalar(smin=0,smax=umax=0xffffffff,var_off=(0x0; 0xffffffff)) R6=scalar(id=273,smin=umin=smin32=umin3>
Feb 06 09:56:31 localhost.localdomain sysmon[114908]: ; eventHdr->m_EventSize = (uint32_t)((void *)ptr - (void *)eventHdr); @ sysmonProcCreate_rawtp.c:62
Feb 06 09:56:31 localhost.localdomain sysmon[114908]: 681: (63) *(u32 *)(r9 +4) = r7        ; R7_w=scalar(id=277,smax=0x7fffffff0000ffe7,umax=0xffffffff0000ffe7,smin32=0,smax32=umax32=0xffe7,var_off=(0x0; 0xfffff>
Feb 06 09:56:31 localhost.localdomain sysmon[114908]: 682: (b4) w1 = 1025                   ; R1_w=1025
Feb 06 09:56:31 localhost.localdomain sysmon[114908]: ; uint32_t indexLocation = PERF_ERRORS_WRITE_INDEX; @ sysinternalsEBPF_helpers.c:61
Feb 06 09:56:31 localhost.localdomain sysmon[114908]: 683: (63) *(u32 *)(r10 -32) = r1      ; R1_w=1025 R10=fp0 fp-32=mmmm1025
Feb 06 09:56:31 localhost.localdomain sysmon[114908]: ; ret = bpf_perf_event_output(ctx, map, flags, data, size); @ sysinternalsEBPF_helpers.c:65
Feb 06 09:56:31 localhost.localdomain sysmon[114908]: 684: (79) r1 = *(u64 *)(r10 -48)      ; R1_w=ctx() R10=fp0 fp-48=ctx()
Feb 06 09:56:31 localhost.localdomain sysmon[114908]: 685: (18) r2 = 0xffff9a3c126e0000     ; R2_w=map_ptr(map=eventMap,ks=4,vs=4)
Feb 06 09:56:31 localhost.localdomain sysmon[114908]: 687: (18) r3 = 0xffffffff             ; R3_w=0xffffffff
Feb 06 09:56:31 localhost.localdomain sysmon[114908]: 689: (bf) r4 = r9                     ; R4_w=map_value(map=eventStorageMap,ks=4,vs=65512) R9_w=map_value(map=eventStorageMap,ks=4,vs=65512)
Feb 06 09:56:31 localhost.localdomain sysmon[114908]: 690: (85) call bpf_perf_event_output#25
Feb 06 09:56:31 localhost.localdomain sysmon[114908]: R5 unbounded memory access, use 'var &= const' or 'if (var < const)'
Feb 06 09:56:31 localhost.localdomain sysmon[114908]: processed 3117 insns (limit 1000000) max_states_per_insn 3 total_states 88 peak_states 88 mark_read 86
Feb 06 09:56:31 localhost.localdomain sysmon[114908]: -- END PROG LOAD LOG --
Feb 06 09:56:31 localhost.localdomain sysmon[114908]: libbpf: prog 'ProcCreateRawExit': failed to load: -13
Feb 06 09:56:31 localhost.localdomain sysmon[114908]: libbpf: failed to load object './/sysmonEBPFkern5.6-_core.o'
Feb 06 09:56:31 localhost.localdomain sysmon[114847]: Telemetry failed to start: eBPF object could not be loaded

[MarioHewardt]

Thanks for reporting this. Does the issue only occur on 9? What about other distros?