fix(bpf): use BPF_CORE_READ for ns.inum to fix verifier stack boundary error on kernel 6.18+#2547
Closed
Athang69 wants to merge 1 commit into
Closed
fix(bpf): use BPF_CORE_READ for ns.inum to fix verifier stack boundary error on kernel 6.18+#2547Athang69 wants to merge 1 commit into
Athang69 wants to merge 1 commit into
Conversation
Athang69
changed the title
There was a problem hiding this comment.
Pull request overview
Fixes a BPF verifier rejection on newer kernels by ensuring namespace inode numbers are read as scalars directly from kernel memory (via CO-RE), avoiding an intermediate ns_common stack copy that can lead to out-of-bounds stack access under stricter verification.
Changes:
- Update
get_task_pid_ns_id()to readns.inumviaBPF_CORE_READ(...)instead of readingnsthen accessing.inum. - Update
get_task_mnt_ns_id()similarly to readns.inumviaBPF_CORE_READ(...).
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Contributor
Author
|
Hi @Aryan-sharma11, gentle ping on this PR would appreciate your review when possible. Thanks! |
…y on kernel 6.18+ Signed-off-by: Athang69 <athangkali21@gmail.com>
Aryan-sharma11
force-pushed
the
fix/bpf-ns-inum-stack-boundary
branch
from
4a4709b to
f3d3e0f
Compare
Collaborator
Contributor
Author
|
@rksharma95 Thanks for the update! No worries at all. Happy to see the issue is resolved. I'll close this PR |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Purpose of PR?:
On kernel 6.18 (Talos 1.12.6), the BPF LSM enforcer fails to load with a verifier error:
invalid read from stack R7 off=0 size=4.get_task_pid_ns_idandget_task_mnt_ns_idinshared.husedBPF_CORE_READ(..., ns).inumwhich reads the entirens_commonstruct (24 bytes) onto the stack atfp-24, then accesses.inumat offset +24 from that base, landing atfp+0- past the stack frame boundary. Kernel 6.18 is stricter about this than earlier kernels, causing the verifier to reject the program and the enforcer to fail to initialize, leaving no active LSMs. Fix moves.inuminside theBPF_CORE_READmacro so it is read as a scalar directly from kernel memory instead of stagingns_commonon the stack first.Fixes #2544
Does this PR introduce a breaking change?
No
If the changes in this PR are manually verified, list down the scenarios covered::
Verified by reproducing the verifier error on Talos 1.12.6 (kernel 6.18.18-talos) with kubearmor 1.6.16 and confirming the error matches the stack boundary analysis. Unable to recompile BPF objects locally to test binary, but the root cause is confirmed directly from the verifier output.
Additional information for reviewer? :
The commented-out cgroup_ns line in
get_outer_keyhas the same patternBPF_CORE_READ(t, nsproxy, cgroup_ns, ns).inumand will hit the same verifier error if uncommented. Should be fixed preemptively.Checklist:
<type>(<scope>): <subject>