tetragon: handle resolving null pointer

andrewstrohman · andrewstrohman · commit 478412bd5da9 · 2025-11-12T12:09:05.000-08:00
Instead of following a null pointer, note that one was found so that the
selector does not determine a match against unrelated data in memory.

Signed-off-by: Andy Strohman &lt;astrohma@isovalent.com&gt;
diff --git a/bpf/lib/generic.h b/bpf/lib/generic.h
@@ -80,6 +80,7 @@ struct msg_generic_kprobe {
 #ifndef __V61_BPF_PROG
 	struct generic_path path;
 #endif
+	__s8 resolve_err_depth[MAX_POSSIBLE_ARGS];
 };
 
 FUNC_INLINE size_t generic_kprobe_common_size(void)
diff --git a/bpf/process/generic_calls.h b/bpf/process/generic_calls.h
@@ -391,14 +391,22 @@ extract_arg_depth(u32 i, struct extract_arg_data *data)
 {
 	if (i >= MAX_BTF_ARG_DEPTH || !data->btf_config[i].is_initialized)
 		return 1;
+
 	*data->arg = *data->arg + data->btf_config[i].offset;
-	if (data->btf_config[i].is_pointer)
-		probe_read((void *)data->arg, sizeof(char *), (void *)*data->arg);
+
+	if (data->btf_config[i].is_pointer) {
+		if (probe_read((void *)data->arg, sizeof(char *), (void *)*data->arg) < 0) {
+			*data->resolve_err_depth = i;
+			return 1;
+		}
+	}
+
 	return 0;
 }
 
 #ifdef __LARGE_BPF_PROG
-FUNC_INLINE void extract_arg(struct event_config *config, int index, unsigned long *a)
+FUNC_INLINE void extract_arg(struct event_config *config, int index, unsigned long *a,
+			     __s8 *resolve_err_depth)
 {
 	struct config_btf_arg *btf_config;
 
@@ -413,6 +421,7 @@ FUNC_INLINE void extract_arg(struct event_config *config, int index, unsigned lo
 		struct extract_arg_data extract_data = {
 			.btf_config = btf_config,
 			.arg = a,
+			.resolve_err_depth = resolve_err_depth,
 		};
 #ifndef __V61_BPF_PROG
 #pragma unroll
@@ -426,7 +435,10 @@ FUNC_INLINE void extract_arg(struct event_config *config, int index, unsigned lo
 	}
 }
 #else
-FUNC_INLINE void extract_arg(struct event_config *config, int index, unsigned long *a) {}
+FUNC_INLINE void extract_arg(struct event_config *config, int index, unsigned long *a,
+			     __s8 *resolve_err_depth)
+{
+}
 #endif /* __LARGE_BPF_PROG */
 
 FUNC_INLINE int arg_idx(int index)
@@ -471,9 +483,11 @@ FUNC_INLINE long generic_read_arg(void *ctx, int index, long off, struct bpf_map
 	ty = config->arg[index];
 	am = config->arm[index];
 
+	e->resolve_err_depth[index] = -1;
+
 #if defined(GENERIC_TRACEPOINT) || defined(GENERIC_USDT)
 	a = (&e->a0)[index];
-	extract_arg(config, index, &a);
+	extract_arg(config, index, &a, &e->resolve_err_depth[index]);
 #else
 	arg_index = config->idx[index];
 	asm volatile("%[arg_index] &= %1 ;\n"
@@ -491,7 +505,7 @@ FUNC_INLINE long generic_read_arg(void *ctx, int index, long off, struct bpf_map
 	else
 		a = (&e->a0)[arg_index];
 
-	extract_arg(config, index, &a);
+	extract_arg(config, index, &a, &e->resolve_err_depth[index]);
 
 	if (should_offload_path(ty))
 		return generic_path_offload(ctx, ty, a, index, off, tailcals);
diff --git a/bpf/process/types/basic.h b/bpf/process/types/basic.h
@@ -184,6 +184,7 @@ struct config_usdt_arg {
 struct extract_arg_data {
 	struct config_btf_arg *btf_config;
 	unsigned long *arg;
+	__s8 *resolve_err_depth;
 };
 
 #define MAX_BTF_ARG_DEPTH	  10
@@ -2024,6 +2025,9 @@ selector_arg_offset(__u8 *f, struct msg_generic_kprobe *e, __u32 selidx,
 		if (index > 5)
 			return 0;
 
+		if (e->resolve_err_depth[index] != -1)
+			return 0;
+
 		args = get_arg(e, index);
 		switch (filter->type) {
 		case fd_ty:
