ROX-29474: StackRox fixes for 0.23.1 upgrade

  - Fix BPF verifier failures on older kernels (4.18)
  - Use volatile on push__bytebuf len_to_read for 32-bit bounds
  - Stub out t1/t2_execveat_x (not subscribed by collector)
  - Use BPF_CORE_READ_INTO for cred reads
  - Disable TOCTOU 64-bit progs for missing syscalls (e.g. openat2)
  - Skip fd-based execs (/dev/fd/N) in exepath fallback
  - Fix exepath resolution without enter events (bprm->filename)

  Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: Stringy

driver/modern_bpf/CMakeLists.txt

@@ -260,11 +260,19 @@ file(GLOB_RECURSE BPF_C_FILES CONFIGURE_DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/*.bp
 # Generate the events dimensions file generator executable.
 # ##################################################################################################
 
+# Compile driver sources directly instead of linking scap_event_schema to
+# avoid a cyclic dependency: scap_event_schema -> scap -> pman ->
+# ProbeSkeleton -> EventsDimensions -> events_dimensions_generator.
 add_executable(
-	events_dimensions_generator ${CMAKE_CURRENT_SOURCE_DIR}/definitions/generator/generator.cpp
+	events_dimensions_generator
+	${CMAKE_CURRENT_SOURCE_DIR}/definitions/generator/generator.cpp
+	${LIBS_DIR}/driver/event_table.c
+	${LIBS_DIR}/driver/flags_table.c
+	${LIBS_DIR}/driver/dynamic_params_table.c
+)
+target_include_directories(events_dimensions_generator PRIVATE
+	${LIBS_DIR} ${LIBS_DIR}/userspace ${PROJECT_BINARY_DIR}
 )
-target_link_libraries(events_dimensions_generator PRIVATE scap_event_schema)
-add_dependencies(events_dimensions_generator scap_event_schema)
 
 # ##################################################################################################
 # Generate the events dimensions file.

driver/modern_bpf/helpers/extract/extract_from_kernel.h

@@ -380,7 +380,7 @@ static __always_inline uint64_t extract__capability(struct task_struct *task,
 	unsigned long capability;
 	const struct cred *task_cred;
 
-	READ_TASK_FIELD_INTO(&task_cred, task, cred);
+	BPF_CORE_READ_INTO(&task_cred, task, cred);
 
 	if(task_cred == NULL)
 		return 0;
@@ -744,7 +744,7 @@ static __always_inline void extract__euid(struct task_struct *task, uint32_t *eu
 	const struct cred *task_cred;
 	*euid = UINT32_MAX;
 
-	READ_TASK_FIELD_INTO(&task_cred, task, cred);
+	BPF_CORE_READ_INTO(&task_cred, task, cred);
 
 	if(task_cred == NULL)
 		return;
@@ -760,8 +760,9 @@ static __always_inline void extract__euid(struct task_struct *task, uint32_t *eu
  */
 static __always_inline void extract__egid(struct task_struct *task, uint32_t *egid) {
 	const struct cred *task_cred;
+	*egid = UINT32_MAX;
 
-	READ_TASK_FIELD_INTO(&task_cred, task, cred);
+	BPF_CORE_READ_INTO(&task_cred, task, cred);
 
 	if(task_cred == NULL)
 		return;
@@ -914,7 +915,7 @@ static __always_inline bool groups_search(struct task_struct *task, uint32_t grp
 	struct group_info *group_info = NULL;
 	const struct cred *task_cred;
 
-	READ_TASK_FIELD_INTO(&task_cred, task, cred);
+	BPF_CORE_READ_INTO(&task_cred, task, cred);
 
 	if(task_cred == NULL)
 		return false;
@@ -970,11 +971,11 @@ static __always_inline bool extract__exe_writable(struct task_struct *task, stru
 	uint32_t fsgid;
 	const struct cred *task_cred;
 
-	READ_TASK_FIELD_INTO(&task_cred, task, cred);
+	BPF_CORE_READ_INTO(&task_cred, task, cred);
 
 	if(task_cred != NULL) {
-		READ_TASK_FIELD_INTO(&fsuid, task_cred, fsuid.val);
-		READ_TASK_FIELD_INTO(&fsgid, task_cred, fsgid.val);
+		BPF_CORE_READ_INTO(&fsuid, task_cred, fsuid.val);
+		BPF_CORE_READ_INTO(&fsgid, task_cred, fsgid.val);
 	}
 
 	/* HAS_UNMAPPED_ID() */

driver/modern_bpf/helpers/interfaces/toctou_mitigation.h

@@ -16,7 +16,19 @@ static __always_inline bool toctou_mitigation__sampling_logic_enter(uint32_t sys
 	 * - false: means don't drop the syscall
 	 * - true: means drop the syscall
 	 */
-	if(!maps__get_dropping_mode()) {
+
+	/* Do a single map lookup for capture_settings and access fields
+	 * directly. Multiple inlined calls to maps__get_capture_settings()
+	 * can cause clang to optimize away null checks after the first
+	 * lookup, which the BPF verifier rejects on kernels < 6.17 with
+	 * "R0 invalid mem access 'map_value_or_null'".
+	 */
+	struct capture_settings *settings = maps__get_capture_settings();
+	if(!settings) {
+		return false;
+	}
+
+	if(!settings->dropping_mode) {
 		return false;
 	}
 
@@ -31,7 +43,7 @@ static __always_inline bool toctou_mitigation__sampling_logic_enter(uint32_t sys
 	}
 
 	// If we are in the sampling period we drop the event.
-	if((bpf_ktime_get_boot_ns() % SECOND_TO_NS) >= (SECOND_TO_NS / maps__get_sampling_ratio())) {
+	if((bpf_ktime_get_boot_ns() % SECOND_TO_NS) >= (SECOND_TO_NS / settings->sampling_ratio)) {
 		return true;
 	}
 

driver/modern_bpf/programs/attached/dispatchers/syscall_exit.bpf.c

@@ -122,12 +122,18 @@ struct {
                 },
 };
 
-static __always_inline bool sampling_logic_exit(void *ctx, uint32_t id) {
+/* Accept a pre-looked-up capture_settings pointer to avoid multiple
+ * bpf_map_lookup_elem calls within the same BPF program. Clang can
+ * optimize away null checks on repeated lookups, which the BPF verifier
+ * rejects on kernels < 6.17 with "R0 invalid mem access 'map_value_or_null'".
+ */
+static __always_inline bool sampling_logic_exit(void *ctx, uint32_t id,
+                                                struct capture_settings *settings) {
 	/* If dropping mode is not enabled we don't perform any sampling
 	 * false: means don't drop the syscall
 	 * true: means drop the syscall
 	 */
-	if(!maps__get_dropping_mode()) {
+	if(!settings->dropping_mode) {
 		return false;
 	}
 
@@ -141,7 +147,7 @@ static __always_inline bool sampling_logic_exit(void *ctx, uint32_t id) {
 		return true;
 	}
 
-	if((bpf_ktime_get_boot_ns() % SECOND_TO_NS) >= (SECOND_TO_NS / maps__get_sampling_ratio())) {
+	if((bpf_ktime_get_boot_ns() % SECOND_TO_NS) >= (SECOND_TO_NS / settings->sampling_ratio)) {
 		/* If we are starting the dropping phase we need to notify the userspace, otherwise, we
 		 * simply drop our event.
 		 * PLEASE NOTE: this logic is not per-CPU so it is best effort!
@@ -221,11 +227,22 @@ int BPF_PROG(sys_exit, struct pt_regs *regs, long ret) {
 		return 0;
 	}
 
-	if(sampling_logic_exit(ctx, syscall_id)) {
+	/* Do a single map lookup for capture_settings and reuse the pointer
+	 * for both sampling_logic_exit() and drop_failed check. This avoids
+	 * multiple bpf_map_lookup_elem calls whose null checks can be
+	 * optimized away by clang, causing BPF verifier failures on
+	 * kernels < 6.17.
+	 */
+	struct capture_settings *settings = maps__get_capture_settings();
+	if(!settings) {
+		return 0;
+	}
+
+	if(sampling_logic_exit(ctx, syscall_id, settings)) {
 		return 0;
 	}
 
-	if(maps__get_drop_failed() && ret < 0) {
+	if(settings->drop_failed && ret < 0) {
 		return 0;
 	}
 

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/execve.bpf.c

@@ -131,6 +131,12 @@ int BPF_PROG(execve_x, struct pt_regs *regs, long ret) {
 
 SEC("tp_btf/sys_exit")
 int BPF_PROG(t1_execve_x, struct pt_regs *regs, long ret) {
+	/* ROX-31971: This tail call is never reached because execve_x returns
+	 * early for both success (ret == 0) and failure cases. Kept as a stub
+	 * to avoid exceeding the BPF verifier's 1M instruction limit on some
+	 * kernels (e.g. RHEL SAP 9.4).
+	 */
+#if 0
 	struct auxiliary_map *auxmap = auxmap__get();
 	if(!auxmap) {
 		return 0;
@@ -255,11 +261,14 @@ int BPF_PROG(t1_execve_x, struct pt_regs *regs, long ret) {
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	bpf_tail_call(ctx, &syscall_exit_extra_tail_table, T2_EXECVE_X);
+#endif
 	return 0;
 }
 
 SEC("tp_btf/sys_exit")
 int BPF_PROG(t2_execve_x, struct pt_regs *regs, long ret) {
+	/* ROX-31971: unreachable, see comment in t1_execve_x. */
+#if 0
 	struct auxiliary_map *auxmap = auxmap__get();
 	if(!auxmap) {
 		return 0;
@@ -294,6 +303,7 @@ int BPF_PROG(t2_execve_x, struct pt_regs *regs, long ret) {
 	auxmap__finalize_event_header(auxmap);
 
 	auxmap__submit_event(auxmap);
+#endif
 	return 0;
 }
 

driver/modern_bpf/programs/tail_called/events/syscall_dispatched_events/execveat.bpf.c

@@ -131,6 +131,12 @@ int BPF_PROG(execveat_x, struct pt_regs *regs, long ret) {
 
 SEC("tp_btf/sys_exit")
 int BPF_PROG(t1_execveat_x, struct pt_regs *regs, long ret) {
+	/* ROX-31971: This tail call contributes to exceeding the BPF verifier's
+	 * 1M instruction limit on some kernels (e.g. RHCOS 4.16, RHEL SAP 9.4).
+	 * Collector does not subscribe to execveat, so this code is not needed.
+	 * Kept as a stub so the program symbol exists in the skeleton.
+	 */
+#if 0
 	struct auxiliary_map *auxmap = auxmap__get();
 	if(!auxmap) {
 		return 0;
@@ -254,11 +260,14 @@ int BPF_PROG(t1_execveat_x, struct pt_regs *regs, long ret) {
 	/*=============================== COLLECT PARAMETERS  ===========================*/
 
 	bpf_tail_call(ctx, &syscall_exit_extra_tail_table, T2_EXECVEAT_X);
+#endif
 	return 0;
 }
 
 SEC("tp_btf/sys_exit")
 int BPF_PROG(t2_execveat_x, struct pt_regs *regs, long ret) {
+	/* ROX-31971: See comment on t1_execveat_x above. */
+#if 0
 	struct auxiliary_map *auxmap = auxmap__get();
 	if(!auxmap) {
 		return 0;
@@ -289,6 +298,7 @@ int BPF_PROG(t2_execveat_x, struct pt_regs *regs, long ret) {
 	auxmap__finalize_event_header(auxmap);
 
 	auxmap__submit_event(auxmap);
+#endif
 	return 0;
 }
 

userspace/libpman/src/lifecycle.c

@@ -128,7 +128,32 @@ int pman_prepare_progs_before_loading() {
 		progs[chosen_idx] = old_prog;
 	}
 
-	// Keep autoloading enabled for all TOCTOU mitigation 64 bit programs.
+	// Disable autoloading for TOCTOU mitigation 64-bit programs whose
+	// syscalls don't exist on this kernel (e.g. openat2 on kernels < 5.6).
+	// Without this, CO-RE relocations fail for missing BTF types.
+	for(int i = 0; i < TTM_MAX; i++) {
+		const char *prog_name = ttm_progs_table[i].ttm_64bit_prog.name;
+		if(prog_name == NULL) {
+			continue;
+		}
+		/* Check if the tracepoint exists: /sys/kernel/tracing/events/syscalls/sys_enter_<syscall>
+		 * The prog name is "<syscall>_e", so strip the "_e" suffix.
+		 */
+		char path[256];
+		snprintf(path, sizeof(path),
+		         "/sys/kernel/tracing/events/syscalls/sys_enter_%.*s",
+		         (int)(strlen(prog_name) - 2), prog_name);
+		if(access(path, F_OK) != 0) {
+			/* Also try debugfs mount point */
+			snprintf(path, sizeof(path),
+			         "/sys/kernel/debug/tracing/events/syscalls/sys_enter_%.*s",
+			         (int)(strlen(prog_name) - 2), prog_name);
+			if(access(path, F_OK) != 0) {
+				disable_prog_autoloading(msg, prog_name);
+			}
+		}
+	}
+
 	// Disable autoloading for unsupported TOCTOU mitigation ia-32 programs.
 	for(int i = 0; i < TTM_MAX; i++) {
 		const ttm_ia32_prog_t *ia32_progs = ttm_progs_table[i].ttm_ia32_progs;

userspace/libsinsp/parsers.cpp

@@ -1570,6 +1570,8 @@ void sinsp_parser::parse_execve_exit(sinsp_evt &evt, sinsp_parser_verdict &verdi
 		 * In older event versions we can only rely on our userspace reconstruction
 		 */
 
+		bool exepath_set = false;
+
 		// If we are not able to retrieve the enter event we can do nothing.
 		sinsp_evt *enter_evt = &m_tmp_evt;
 		if(retrieve_enter_event(*enter_evt, evt)) {
@@ -1659,6 +1661,29 @@ void sinsp_parser::parse_execve_exit(sinsp_evt &evt, sinsp_parser_verdict &verdi
 				}
 			}
 			evt.get_tinfo()->set_exepath(std::move(fullpath));
+			exepath_set = true;
+		}
+
+		/* Modern drivers no longer send enter events (marked EF_OLD_VERSION),
+		 * so the enter event reconstruction above will fail. Fall back to the
+		 * filename parameter (bprm->filename) from the exit event, which
+		 * contains the first argument to execve as provided by the caller.
+		 */
+		if(!exepath_set) {
+			/* Parameter 31: filename (type: PT_FSPATH) */
+			if(const auto filename_param = evt.get_param(30); !filename_param->empty()) {
+				std::string_view filename = filename_param->as<std::string_view>();
+				/* Skip fd-based execs (fexecve / container runtime re-exec).
+				 * These are intermediate exec steps; the real exec follows.
+				 */
+				if(filename != "<NA>" &&
+				   filename.substr(0, 8) != "/dev/fd/" &&
+				   filename.substr(0, 15) != "/proc/self/fd/") {
+					std::string fullpath = sinsp_utils::concatenate_paths(
+						evt.get_tinfo()->get_cwd(), filename);
+					evt.get_tinfo()->set_exepath(std::move(fullpath));
+				}
+			}
 		}
 	}
 
@@ -4271,7 +4296,7 @@ void sinsp_parser::parse_pidfd_getfd_exit(sinsp_evt &evt) const {
 	pidfd = evt.get_param(1)->as<int64_t>();
 
 	/* targetfd */
-	ASSERT(evt.get_param(2)->m_len == sizeof(int64_t));
+	ASSERT(evt.get_param(2)->len() == sizeof(int64_t));
 	ASSERT(evt.get_param_info(2)->type == PT_FD);
 	targetfd = evt.get_param(2)->as<int64_t>();
 

userspace/libsinsp/sinsp_public.h

@@ -22,6 +22,12 @@ limitations under the License.
 #ifndef ASSERT
 
 #include <assert.h>
+#include <stdio.h>
+
+#include <libscap/scap_log.h>
+
+// We expect the global logger_fn be provided from the outside
+extern falcosecurity_log_fn logger_fn;
 
 #ifdef _DEBUG
 
@@ -30,34 +36,36 @@ limitations under the License.
 #endif
 
 #ifdef ASSERT_TO_LOG
-#define ASSERT(X)                                              \
-	do {                                                       \
-		if(!(X)) {                                             \
-			libsinsp_logger()->format(sinsp_logger::SEV_DEBUG, \
-			                          "ASSERTION %s at %s:%d", \
-			                          #X,                      \
-			                          __FILE__,                \
-			                          __LINE__);               \
-		}                                                      \
+#define ASSERT(X)                                                                            \
+	do {                                                                                     \
+		if(!(X)) {                                                                           \
+			if(logger_fn != NULL) {                                                          \
+				char buf[512];                                                               \
+				snprintf(buf, sizeof(buf), "ASSERTION " #X " at %s:%d", __FILE__, __LINE__); \
+				logger_fn("libsinsp", buf, FALCOSECURITY_LOG_SEV_DEBUG);                      \
+			} else {                                                                         \
+				assert(X);                                                                   \
+			}                                                                                \
+		}                                                                                    \
 	} while(0)
 #else  // ASSERT_TO_LOG
-#define ASSERT(X) assert(X);
+#define ASSERT(X) assert(X)
 #endif  // ASSERT_TO_LOG
 
 #else  // _DEBUG
 
 #ifdef ASSERT_TO_LOG
-#define ASSERT(X)                                              \
-	do {                                                       \
-		if(!(X)) {                                             \
-			libsinsp_logger()->format(sinsp_logger::SEV_DEBUG, \
-			                          "ASSERTION %s at %s:%d", \
-			                          #X,                      \
-			                          __FILE__,                \
-			                          __LINE__);               \
-		}                                                      \
+#define ASSERT(X)                                                                            \
+	do {                                                                                     \
+		if(!(X)) {                                                                           \
+			if(logger_fn != NULL) {                                                          \
+				char buf[512];                                                               \
+				snprintf(buf, sizeof(buf), "ASSERTION " #X " at %s:%d", __FILE__, __LINE__); \
+				logger_fn("libsinsp", buf, FALCOSECURITY_LOG_SEV_DEBUG);                      \
+			}                                                                                \
+		}                                                                                    \
 	} while(0)
-#else
+#else  // ASSERT_TO_LOG
 #define ASSERT(X)
 #endif  // ASSERT_TO_LOG