Verifier error: variable stack access var_off

Brendan Gregg

I'm hoping someone knows a workaround here.

I have a char buf[128] and I'd like to write to arbitrary offsets, but
keep hitting this error. Any workaround? I've included a sample bcc
program below, which has a block comment as to what I'm trying to do
(join an argv[]). Thanks,

# From execsnoop (bcc/eBPF).

from __future__ import print_function
from bcc import BPF
from bcc.utils import ArgString, printb
import bcc.utils as utils
import argparse
import ctypes as ct
import re
import time

# arguments
examples = """examples:
./execsnoop # trace all exec() syscalls
parser = argparse.ArgumentParser(
description="Trace exec() syscalls",
parser.add_argument("--ebpf", action="store_true",
args = parser.parse_args()

# define BPF program
bpf_text = """
#include <uapi/linux/ptrace.h>
#include <linux/sched.h>
#include <linux/fs.h>

#define ARGSIZE 128

struct data_t {
char argv[ARGSIZE];


// Here's what I'm trying to do. Let's say this has:
// __argv[0] = "ls"
// __argv[1] = "-l"
// I'm trying to create a buffer with "ls -l", by doing bpf_probe_read_str() for
// each element into the buffer, while keeping track of the length of
// the previous read so I can insert a space delimiter at that offset,
// and begin the next read after the delimiter.
int syscall__execve(struct pt_regs *ctx,
const char __user *filename,
const char __user *const __user *__argv,
const char __user *const __user *__envp)
struct data_t data = {};
uint64_t max = sizeof(data.argv);
const char *argp = NULL;
bpf_probe_read(&argp, sizeof(argp), (void *)&__argv[0]);
uint64_t len = bpf_probe_read_str(&data.argv, max, argp);
len &= 0xffffffff; // to avoid: "math between fp pointer and register errs"
bpf_trace_printk("len: %d\\n", len); // sanity check: len is indeed valid

data.argv[len] = ' ';
// XXX this fails with:
// "variable stack access var_off=(0x0; 0xffffffff) off=-128 size=1"
// how do I fix this?

// events.perf_submit(ctx, &data, len);
// XXX this fails with:
// "R5 min value is negative, either use unsigned or 'var &= const'"
// how do I fix this? In the meantime, I'm passing the whole buffer out:
events.perf_submit(ctx, &data, sizeof(data.argv));
return 0;

if args.ebpf:

# initialize BPF
b = BPF(text=bpf_text)
execve_fnname = b.get_syscall_fnname("execve")
b.attach_kprobe(event=execve_fnname, fn_name="syscall__execve")

ARGSIZE = 128 # should match #define in C above

class Data(ct.Structure):
_fields_ = [
("argv", ct.c_char * ARGSIZE),


# process event
def print_event(cpu, data, size):
event = ct.cast(data, ct.POINTER(Data)).contents
printb(b"%s" % event.argv)

# loop with callback to print_event
while 1:

Join to automatically receive all group messages.