在kretprobe/sys_read探测器中,我尝试读取 BPF_MAP_TYPE_ARRAY 中的请求缓冲区(用户空间)。eBPF 验证程序抛出以下错误:
{"error": "field SyscallProbeRetRead: program syscall__probe_ret_read: load program: permission denied: invalid access to map value, value_size=70 off=0 size=16383: R1 min value is outside of the allowed memory range (truncated, 73 line(s) omitted)"}
逻辑:如果 buf_size 大于MAX_MSG_SIZE,那么我们将读取TRACE_PARENT_SIZE或更少(取决于缓冲区的大小)到seventy_bytes_array->data,否则,我们将不会读取任何内容。
#define MAX_MSG_SIZE 16383
#define TRACE_PARENT_SIZE 70
SEC("kretprobe/sys_read")
int syscall__probe_ret_read(struct pt_regs *ctx)
{
size_t buf_size = PT_REGS_RC(ctx);
u64 id = bpf_get_current_pid_tgid();
struct data_args_t *read_args = bpf_map_lookup_elem(&active_read_args_map, &id);
if (read_args)
{
char *buf = read_args->buf; …