Fix acting[] array out-of-bounds access in radostrace (#87)

* Fix acting[] array out-of-bounds access in radostrace

The acting[] array in client_op_v was defined with a fixed size of 6,
but the loop iterating over it used a hardcoded bound of 8, causing
out-of-bounds reads. Beyond fixing the mismatch, the array was too
small for real Ceph deployments.

Ceph caps the number of OSDs per PG at CEPH_PG_MAX_SIZE (16), defined
in src/include/rados.h. This applies to both replicated pools (max
size=10 enforced by OSDMonitor) and erasure-coded pools (k+m bounded
by CEPH_PG_MAX_SIZE). The Linux kernel client uses the same constant
to size its acting set arrays (struct ceph_osds in osdmap.h).

Changes:
- Define MAX_ACTING=16 macro in bpf_ceph_types.h, matching
  CEPH_PG_MAX_SIZE from Ceph's rados.h
- Use MAX_ACTING for acting[] array size and all loop bounds
- Move initialize_value() stack allocation to a .bss global
  (zero_val) to avoid BPF 512-byte stack limit, since client_op_v
  with acting[16] is ~434 bytes

Signed-off-by: Seyeong Kim <seyeong.kim@canonical.com>

* Fix ringbuf reserve size mismatch in uprobe_finish_op

bpf_ringbuf_reserve() was using sizeof(struct op_v) but the code
copies a struct client_op_v into the reserved buffer. With the
acting[] array expansion this became a detectable OOB write caught
by the BPF verifier.

Signed-off-by: Seyeong Kim <seyeong.kim@canonical.com>

---------

Signed-off-by: Seyeong Kim <seyeong.kim@canonical.com>

Author: xtrusia

src/bpf_ceph_types.h

@@ -12,6 +12,8 @@
 #define MSG_OSD_EC_READ 110
 #define MSG_OSD_EC_READ_REPLY 111
 
+#define MAX_ACTING 16
+
 #define CEPH_OSD_FLAG_READ 0x0010
 #define CEPH_OSD_FLAG_WRITE 0x0020
 
@@ -54,7 +56,7 @@ struct client_op_v {
   char object_name[128];
   __u64 m_pool;
   __u32 m_seed;
-  int acting[6];
+  int acting[MAX_ACTING];
   __u64 offset;
   __u64 length;
   __u16 ops[3];

src/radostrace.bpf.c

@@ -39,10 +39,10 @@ const volatile __u32 CEPH_OSD_OP_BUFFER_CARRIAGE_OFFSET = 0;
 const volatile __u32 CEPH_OSD_OP_BUFFER_RAW_OFFSET = 0;
 const volatile __u32 CEPH_OSD_OP_BUFFER_DATA_OFFSET = 0;
 
+static struct client_op_v zero_val = {};
+
 void initialize_value(struct client_op_k key) {
-  struct client_op_v val;
-  memset(&val, 0, sizeof(val));
-  bpf_map_update_elem(&ops, &key, &val, 0);
+  bpf_map_update_elem(&ops, &key, &zero_val, 0);
 }
 
 SEC("uprobe")
@@ -198,7 +198,7 @@ int uprobe_send_op(struct pt_regs *ctx) {
     return 0;
   }
 
-  for (int i = 0 ; i < 8; ++i) {
+  for (int i = 0 ; i < MAX_ACTING; ++i) {
     val->acting[i] = -1;
     if (M_start < m_finish) {
 	bpf_probe_read_user(&(val->acting[i]), sizeof(int), (void *)M_start);
@@ -320,7 +320,7 @@ int uprobe_finish_op(struct pt_regs *ctx) {
   opv->finish_stamp = bpf_ktime_get_boot_ns();
   opv->pid = get_pid();
   // submit to ringbuf
-  struct client_op_v *e = bpf_ringbuf_reserve(&rb, sizeof(struct op_v), 0);
+  struct client_op_v *e = bpf_ringbuf_reserve(&rb, sizeof(struct client_op_v), 0);
   if (NULL == e) {
     return 0;
   }

src/radostrace.cc

@@ -282,7 +282,7 @@ static int handle_event(void *ctx, void *data, size_t size) {
     acting_osd_list << "[";
     {
         bool first = true;
-        for (int i = 0; i < 8; ++i) {
+        for (int i = 0; i < MAX_ACTING; ++i) {
             if (op_v->acting[i] < 0) break;
             if (!first) acting_osd_list << ",";
             acting_osd_list << op_v->acting[i];