edb icon indicating copy to clipboard operation
edb copied to clipboard

Published 20 hours ago verified publisher icon dylandreimerink

Error ` load collection: file dist/tracee.bpf.core.o: section "kprobe/security_file_open": string is not stack allocated: not supported`

Open liusy58 opened this issue 2 years ago • 1 comments

Hi, after I enter the command edb graph dist/tracee.bpf.core.o tracepoint__raw_syscalls__sys_enter -f dot -o res.dot. I got the following error:

Error: load collection: file dist/tracee.bpf.core.o: section "kprobe/security_file_open": string is not stack allocated: not supported

tracee.bpf.core.zip

Any help?

Edit: I am trying to create a control flow graph for of the tracepoint__raw_syscalls__sys_enter program of the tracee project.

Steps to reproduce are:

  1. Clone tracee: git clone https://github.com/aquasecurity/tracee.git
  2. Build tracee cd tracee && make tracee-ebpf
  3. Attempt to render CFG: edb graph dist/tracee.bpf.core.o tracepoint__raw_syscalls__sys_enter -f dot -o res.dot

liusy58 avatar Jul 12 '22 12:07 liusy58

This issue is caused by a limitation of the cilium/ebpf loader used by edb. The library doesn't support dedicated string sections.

When building the tracee program, the compiler places 3 string literals in a .rodata.str1.1 section and marks it with a SHF_STRINGS flag, triggering the error in the loader. Loading this ELF file does work with bpftool (used libbpf as loader library) which transforms the .rodata.str1.1 section into a separate global data map. I am going to make a PR for the cilium/ebpf project to also add this feature.

The string literals in question are:

  • https://github.com/aquasecurity/tracee/blob/260570df25844a7e05a1440d448082cec2447823/pkg/ebpf/c/tracee.bpf.c#L1861
  • https://github.com/aquasecurity/tracee/blob/260570df25844a7e05a1440d448082cec2447823/pkg/ebpf/c/tracee.bpf.c#L2515
  • https://github.com/aquasecurity/tracee/blob/260570df25844a7e05a1440d448082cec2447823/pkg/ebpf/c/tracee.bpf.c#L3190

Until that point, edb can't load programs with string sections. For now, the only way to get edb to work is to make some slight changes to tracee. By adding static const to the string, the compiler will place the data in the generic .rodata section.

I have included a patch file with this comment which should be applied on top of commit 260570df25844a7e05a1440d448082cec2447823. Hopefully this helps until we can upstream a permanent fix.

strfix.patch.txt

dylandreimerink avatar Jul 12 '22 19:07 dylandreimerink