tetragon: handle resolving null pointer

andrewstrohman · andrewstrohman · commit 1f40cfad3977 · 2025-11-10T16:31:05.000-08:00
Instead of following a null pointer, note that one was found so that the
selector does not determine a match against unrelated data in memory.

Signed-off-by: Andy Strohman &lt;astrohma@isovalent.com&gt;
diff --git a/bpf/lib/generic.h b/bpf/lib/generic.h
@@ -80,6 +80,7 @@ struct msg_generic_kprobe {
 #ifndef __V61_BPF_PROG
 	struct generic_path path;
 #endif
+	bool resolve_null_ptr[MAX_POSSIBLE_ARGS];
 };
 
 FUNC_INLINE size_t generic_kprobe_common_size(void)
diff --git a/bpf/process/generic_calls.h b/bpf/process/generic_calls.h
@@ -391,14 +391,20 @@ extract_arg_depth(u32 i, struct extract_arg_data *data)
 {
 	if (i >= MAX_BTF_ARG_DEPTH || !data->btf_config[i].is_initialized)
 		return 1;
+	/* NULL pointer */
+	if (*data->arg == 0) {
+		*data->null_ptr_found = true;
+		return 1;
+	}
 	*data->arg = *data->arg + data->btf_config[i].offset;
 	if (data->btf_config[i].is_pointer)
 		probe_read((void *)data->arg, sizeof(char *), (void *)*data->arg);
 	return 0;
 }
 
 #ifdef __LARGE_BPF_PROG
-FUNC_INLINE void extract_arg(struct event_config *config, int index, unsigned long *a)
+FUNC_INLINE void extract_arg(struct event_config *config, int index, unsigned long *a,
+			     bool *null_ptr_found)
 {
 	struct config_btf_arg *btf_config;
 
@@ -413,6 +419,7 @@ FUNC_INLINE void extract_arg(struct event_config *config, int index, unsigned lo
 		struct extract_arg_data extract_data = {
 			.btf_config = btf_config,
 			.arg = a,
+			.null_ptr_found = null_ptr_found,
 		};
 #ifndef __V61_BPF_PROG
 #pragma unroll
@@ -426,7 +433,8 @@ FUNC_INLINE void extract_arg(struct event_config *config, int index, unsigned lo
 	}
 }
 #else
-FUNC_INLINE void extract_arg(struct event_config *config, int index, unsigned long *a) {}
+FUNC_INLINE void extract_arg(struct event_config *config, int index, unsigned long *a,
+			     bool *null_ptr_found) {}
 #endif /* __LARGE_BPF_PROG */
 
 FUNC_INLINE int arg_idx(int index)
@@ -471,9 +479,11 @@ FUNC_INLINE long generic_read_arg(void *ctx, int index, long off, struct bpf_map
 	ty = config->arg[index];
 	am = config->arm[index];
 
+	e->resolve_null_ptr[index] = false;
+
 #if defined(GENERIC_TRACEPOINT) || defined(GENERIC_USDT)
 	a = (&e->a0)[index];
-	extract_arg(config, index, &a);
+	extract_arg(config, index, &a, &e->resolve_null_ptr[index]);
 #else
 	arg_index = config->idx[index];
 	asm volatile("%[arg_index] &= %1 ;\n"
@@ -491,7 +501,7 @@ FUNC_INLINE long generic_read_arg(void *ctx, int index, long off, struct bpf_map
 	else
 		a = (&e->a0)[arg_index];
 
-	extract_arg(config, index, &a);
+	extract_arg(config, index, &a, &e->resolve_null_ptr[index]);
 
 	if (should_offload_path(ty))
 		return generic_path_offload(ctx, ty, a, index, off, tailcals);
diff --git a/bpf/process/types/basic.h b/bpf/process/types/basic.h
@@ -184,6 +184,7 @@ struct config_usdt_arg {
 struct extract_arg_data {
 	struct config_btf_arg *btf_config;
 	unsigned long *arg;
+	bool *null_ptr_found;
 };
 
 #define MAX_BTF_ARG_DEPTH	  10
@@ -2024,6 +2025,9 @@ selector_arg_offset(__u8 *f, struct msg_generic_kprobe *e, __u32 selidx,
 		if (index > 5)
 			return 0;
 
+		if (e->resolve_null_ptr[index])
+			return 0;
+
 		args = get_arg(e, index);
 		switch (filter->type) {
 		case fd_ty:
