Fix ringbuf reserve size mismatch in uprobe_finish_op

xtrusia · xtrusia · commit fe5f6bf82913 · 2026-03-28T03:56:51.000Z
bpf_ringbuf_reserve() was using sizeof(struct op_v) but the code
copies a struct client_op_v into the reserved buffer. With the
acting[] array expansion this became a detectable OOB write caught
by the BPF verifier.

Signed-off-by: Seyeong Kim &lt;seyeong.kim@canonical.com&gt;
diff --git a/src/radostrace.bpf.c b/src/radostrace.bpf.c
@@ -320,7 +320,7 @@ int uprobe_finish_op(struct pt_regs *ctx) {
   opv->finish_stamp = bpf_ktime_get_boot_ns();
   opv->pid = get_pid();
   // submit to ringbuf
-  struct client_op_v *e = bpf_ringbuf_reserve(&rb, sizeof(struct op_v), 0);
+  struct client_op_v *e = bpf_ringbuf_reserve(&rb, sizeof(struct client_op_v), 0);
   if (NULL == e) {
     return 0;
   }

Original file line number	Diff line number	Diff line change
`@@ -320,7 +320,7 @@ int uprobe_finish_op(struct pt_regs *ctx) {`
`320`	`320`	`opv->finish_stamp = bpf_ktime_get_boot_ns();`
`321`	`321`	`opv->pid = get_pid();`
`322`	`322`	`// submit to ringbuf`
`323`		`- struct client_op_v *e = bpf_ringbuf_reserve(&rb, sizeof(struct op_v), 0);`
	`323`	`+ struct client_op_v *e = bpf_ringbuf_reserve(&rb, sizeof(struct client_op_v), 0);`
`324`	`324`	`if (NULL == e) {`
`325`	`325`	`return 0;`
`326`	`326`	`}`