From bc228cedae3261fbf0cc3f41867b6b5eb4dcc009 Mon Sep 17 00:00:00 2001
From: Roberto Scolaro <roberto.scolaro21@gmail.com>
Date: Thu, 13 Apr 2023 08:46:43 +0000
Subject: [PATCH] fix(driver/bpf): fix ebpf verifier issue

Co-authored-by: Federico Di Pierro <nierro92@gmail.com>
Signed-off-by: Roberto Scolaro <roberto.scolaro21@gmail.com>
---
 driver/bpf/filler_helpers.h                                 | 4 ++--
 driver/bpf/fillers.h                                        | 6 ++----
 .../events/syscall_dispatched_events/prctl.bpf.c            | 5 -----
 driver/syscall_table.c                                      | 6 +++---
 userspace/libsinsp/events/sinsp_events_ppm_sc.cpp           | 1 +
 userspace/libsinsp/test/public_sinsp_API/ppm_sc_codes.cpp   | 3 +++
 6 files changed, 11 insertions(+), 14 deletions(-)

diff --git a/driver/bpf/filler_helpers.h b/driver/bpf/filler_helpers.h
index aaaabd18dfd..241daae1e28 100644
--- a/driver/bpf/filler_helpers.h
+++ b/driver/bpf/filler_helpers.h
@@ -1075,8 +1075,8 @@ static __always_inline int bpf_push_empty_param(struct filler_data *data)
 	fixup_evt_arg_len(data->buf, data->state->tail_ctx.curarg, 0);
 	data->curarg_already_on_frame = false;
 
-	/* We increment the current argument */
-	++data->state->tail_ctx.curarg;
+	 /* We increment the current argument - to make verifier happy, properly check it against u32 max */
+	data->state->tail_ctx.curarg = (data->state->tail_ctx.curarg + 1) & (PPM_MAX_EVENT_PARAMS - 1);
 	return PPM_SUCCESS;
 }
 
diff --git a/driver/bpf/fillers.h b/driver/bpf/fillers.h
index 9f4f04c1b9f..2174227a1b3 100644
--- a/driver/bpf/fillers.h
+++ b/driver/bpf/fillers.h
@@ -7159,14 +7159,12 @@ FILLER(sys_prctl_x, true)
 			res = bpf_val_to_ring(data, (int)arg2_int);
 			CHECK_RES(res);
 			break;
+		case PPM_PR_SET_CHILD_SUBREAPER:
 		default:
 			/*
 			 * arg2_str
 			 */
-			//XXX temporary workaround: the usage of `bpf_push_empty_param`
-			//    breaks the verifies
-			//res = bpf_push_empty_param(data);
-			res = bpf_val_to_ring(data, 0);
+			res = bpf_push_empty_param(data);
 			CHECK_RES(res);
 			/*
 			 * arg2_int
diff --git a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/prctl.bpf.c b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/prctl.bpf.c
index 5098fb9595b..7b4c227dcbc 100644
--- a/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/prctl.bpf.c
+++ b/driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/prctl.bpf.c
@@ -82,11 +82,6 @@ int BPF_PROG(prctl_x,
 			auxmap__store_s64_param(auxmap, (s64)reaper_attr);
 			break;
 		case PPM_PR_SET_CHILD_SUBREAPER:
-			/* Parameter 3: arg2_str (type: PT_CHARBUF) */
-			auxmap__store_empty_param(auxmap);
-			/* Parameter 4: arg2_int (type: PT_INT64) */
-			auxmap__store_s64_param(auxmap, arg2);
-			break;
 		default:
 			/* Parameter 3: arg2_str (type: PT_CHARBUF) */
 			auxmap__store_empty_param(auxmap);
diff --git a/driver/syscall_table.c b/driver/syscall_table.c
index 46a1271452a..8f4e9de39a8 100644
--- a/driver/syscall_table.c
+++ b/driver/syscall_table.c
@@ -396,6 +396,9 @@ const struct syscall_evt_pair g_syscall_table[SYSCALL_TABLE_SIZE] = {
 #endif
 #ifdef __NR_send
 	[__NR_send - SYSCALL_TABLE_ID0] = {UF_USED, PPME_SOCKET_SEND_E, PPME_SOCKET_SEND_X, PPM_SC_SEND},
+#endif
+#ifdef __NR_prctl
+	[__NR_prctl - SYSCALL_TABLE_ID0] = { UF_USED | UF_NEVER_DROP, PPME_SYSCALL_PRCTL_E, PPME_SYSCALL_PRCTL_X, PPM_SC_PRCTL },
 #endif
 	[__NR_restart_syscall - SYSCALL_TABLE_ID0] = { .ppm_sc = PPM_SC_RESTART_SYSCALL },
 	[__NR_exit - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_EXIT},
@@ -459,9 +462,6 @@ const struct syscall_evt_pair g_syscall_table[SYSCALL_TABLE_SIZE] = {
 	[__NR_sched_get_priority_min - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SCHED_GET_PRIORITY_MIN},
 	[__NR_sched_rr_get_interval - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_SCHED_RR_GET_INTERVAL},
 	[__NR_mremap - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_MREMAP},
-#ifdef __NR_prctl
-	[__NR_prctl - SYSCALL_TABLE_ID0] = { UF_USED | UF_NEVER_DROP, PPME_SYSCALL_PRCTL_E, PPME_SYSCALL_PRCTL_X, PPM_SC_PRCTL },
-#endif
 #ifdef __NR_arch_prctl
 	[__NR_arch_prctl - SYSCALL_TABLE_ID0] = {.ppm_sc = PPM_SC_ARCH_PRCTL},
 #endif
diff --git a/userspace/libsinsp/events/sinsp_events_ppm_sc.cpp b/userspace/libsinsp/events/sinsp_events_ppm_sc.cpp
index 75b6e102b20..200285a9dff 100644
--- a/userspace/libsinsp/events/sinsp_events_ppm_sc.cpp
+++ b/userspace/libsinsp/events/sinsp_events_ppm_sc.cpp
@@ -392,6 +392,7 @@ libsinsp::events::set<ppm_sc_code> libsinsp::events::sinsp_repair_state_sc_set(c
 		PPM_SC_SETSID,
 		PPM_SC_SETUID,
 		PPM_SC_SETUID32,
+		PPM_SC_PRCTL,
 	};
 
 	if ((flags & PPM_REPAIR_STATE_SC_NETWORK_BASE))
diff --git a/userspace/libsinsp/test/public_sinsp_API/ppm_sc_codes.cpp b/userspace/libsinsp/test/public_sinsp_API/ppm_sc_codes.cpp
index 115b7444756..62278f7f47d 100644
--- a/userspace/libsinsp/test/public_sinsp_API/ppm_sc_codes.cpp
+++ b/userspace/libsinsp/test/public_sinsp_API/ppm_sc_codes.cpp
@@ -202,6 +202,8 @@ const libsinsp::events::set<ppm_event_code> expected_sinsp_state_event_set = {
 	PPME_SYSCALL_EVENTFD2_X,
 	PPME_SYSCALL_SIGNALFD4_E,
 	PPME_SYSCALL_SIGNALFD4_X,
+	PPME_SYSCALL_PRCTL_E,
+	PPME_SYSCALL_PRCTL_X,
 };
 
 const libsinsp::events::set<ppm_sc_code> expected_sinsp_state_sc_set = {
@@ -267,6 +269,7 @@ const libsinsp::events::set<ppm_sc_code> expected_sinsp_state_sc_set = {
 	PPM_SC_EPOLL_CREATE,
 	PPM_SC_EPOLL_CREATE1,
 	PPM_SC_SCHED_PROCESS_EXIT,
+	PPM_SC_PRCTL,
 };
 
 const libsinsp::events::set<ppm_event_code> expected_unknown_event_set = {