fix: avoid verifier rejection for io event offset

kylewanginchina · kylewanginchina · commit c161d3605903 · 2026-03-14T16:11:41.000+08:00
diff --git a/agent/src/ebpf/kernel/socket_trace.bpf.c b/agent/src/ebpf/kernel/socket_trace.bpf.c
@@ -3216,24 +3216,33 @@ static __inline int output_iov_data_copy(const struct data_args_t *args,
 				 __u32 reassembly_bytes, __u32 copy_offset)
 {
 	__u32 __len = v->syscall_len > max_size ? max_size : v->syscall_len;
+	__u32 offset = copy_offset;
+
+	/*
+	 * IO event data is read from a map value buffer. The eBPF verifier
+	 * does not allow pointer arithmetic on map_value pointers with
+	 * unbounded offsets. IO events are not segmented, so force offset=0.
+	 */
+	if (v->source == DATA_SOURCE_IO_EVENT)
+		offset = 0;
 
 	/*
 	 * If data reassembly is enabled, the amount of data pushed must not
 	 * exceed the reassembly transmission limit.
 	 */
 	if (reassembly_bytes > 0)
 		__len = reassembly_bytes;
-	if (copy_offset >= __len)
+	if (offset >= __len)
 		return 0;
-	__len -= copy_offset;
+	__len -= offset;
 
 	/*
 	 * the bitwise AND operation will set the range of possible values for
 	 * the UNKNOWN_VALUE register to [0, BUFSIZE)
 	 */
 	__u32 len = __len & (sizeof(v->data) - 1);
 
-	len = iovecs_copy(v, v_buff, args, __len, len, copy_offset);
+	len = iovecs_copy(v, v_buff, args, __len, len, offset);
 	return len;
 }
 
@@ -3244,16 +3253,25 @@ static __inline int output_data_copy(const struct data_args_t *args,
 				     __u32 reassembly_bytes, char *buffer, __u32 copy_offset)
 {
 	__u32 __len = v->syscall_len > max_size ? max_size : v->syscall_len;
+	__u32 offset = copy_offset;
+
+	/*
+	 * IO event data is read from a map value buffer. The eBPF verifier
+	 * does not allow pointer arithmetic on map_value pointers with
+	 * unbounded offsets. IO events are not segmented, so force offset=0.
+	 */
+	if (v->source == DATA_SOURCE_IO_EVENT)
+		offset = 0;
 
 	/*
 	 * If data reassembly is enabled, the amount of data pushed must not
 	 * exceed the reassembly transmission limit.
 	 */
 	if (reassembly_bytes > 0)
 		__len = reassembly_bytes;
-	if (copy_offset >= __len)
+	if (offset >= __len)
 		return 0;
-	__len -= copy_offset;
+	__len -= offset;
 
 	/*
 	 * the bitwise AND operation will set the range of possible values for
@@ -3262,20 +3280,20 @@ static __inline int output_data_copy(const struct data_args_t *args,
 	__u32 len = __len & (sizeof(v->data) - 1);
 
 	if (vecs) {
-		len = iovecs_copy(v, v_buff, args, __len, len, copy_offset);
+		len = iovecs_copy(v, v_buff, args, __len, len, offset);
 		return len;
 	}
 
 	if (__len >= sizeof(v->data)) {
 		if (v->source != DATA_SOURCE_IO_EVENT) {
 			if (unlikely
 			    (bpf_probe_read_user
-			     (v->data, sizeof(v->data), buffer + copy_offset) != 0))
+			     (v->data, sizeof(v->data), buffer + offset) != 0))
 				return -1;
 		} else {
 			if (unlikely
 			    (bpf_probe_read_kernel
-			     (v->data, sizeof(v->data), buffer + copy_offset) != 0))
+			     (v->data, sizeof(v->data), buffer) != 0))
 				return -1;
 		}
 
@@ -3292,12 +3310,12 @@ static __inline int output_data_copy(const struct data_args_t *args,
 		 */
 		if (v->source != DATA_SOURCE_IO_EVENT) {
 			if (unlikely(bpf_probe_read_user(v->data,
-							 len + 1, buffer + copy_offset) != 0))
+							 len + 1, buffer + offset) != 0))
 				return -1;
 		} else {
 			if (unlikely(bpf_probe_read_kernel(v->data,
 							   len + 1,
-							   buffer + copy_offset) != 0))
+							   buffer) != 0))
 				return -1;
 		}
 	}
