| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <1409910393-30896-1-git-send-email-takahiro.akashi@linaro.org>
Date: Fri, 5 Sep 2014 18:46:33 +0900
From: AKASHI Takahiro <takahiro.akashi@...aro.org>
To: linux@....linux.org.uk, will.deacon@....com
Cc: viro@...iv.linux.org.uk, eparis@...hat.com, rgb@...hat.com,
dsaxena@...aro.org, linux-arm-kernel@...ts.infradead.org,
linaro-kernel@...ts.linaro.org, linux-kernel@...r.kernel.org,
linux-audit@...hat.com,
AKASHI Takahiro <takahiro.akashi@...aro.org>
Subject: [PATCH] arm: prevent BUG_ON in audit_syscall_entry()
BUG_ON() in audit_syscall_entry() will be hit if user issues syscall(-1)
while syscall auditing is enabled (that is, by starting auditd).
In fact, syscall(-1) just fails (not signaled despite the expectation,
this is another minor bug), but the succeeding syscall hits BUG_ON.
When auditing syscall(-1), audit_syscall_entry() is called anyway, but
audit_syscall_exit() is not called and then 'in_syscall' flag in thread's
audit context is kept on. In this way, audit_syscall_entry() against
the succeeding syscall will see BUG_ON(in_syscall).
This patch fixes this bug by
1) enforcing syscall exit tracing, including audit_syscall_exit(), to be
executed in all cases,
2) handling user-issued syscall(-1) with arm_syscall().
Signed-off-by: AKASHI Takahiro <takahiro.akashi@...aro.org>
---
arch/arm/kernel/entry-common.S | 4 ++--
arch/arm/kernel/ptrace.c | 10 +++++++++-
2 files changed, 11 insertions(+), 3 deletions(-)
diff --git a/arch/arm/kernel/entry-common.S b/arch/arm/kernel/entry-common.S
index e52fe5a..28d3931 100644
--- a/arch/arm/kernel/entry-common.S
+++ b/arch/arm/kernel/entry-common.S
@@ -426,7 +426,6 @@ ENTRY(vector_swi)
local_restart:
ldr r10, [tsk, #TI_FLAGS] @ check for syscall tracing
stmdb sp!, {r4, r5} @ push fifth and sixth args
-
tst r10, #_TIF_SYSCALL_WORK @ are we tracing syscalls?
bne __sys_trace
@@ -476,10 +475,11 @@ __sys_trace:
cmp scno, #-1 @ skip the syscall?
bne 2b
add sp, sp, #S_OFF @ restore stack
- b ret_slow_syscall
+ b __sys_trace_return_skipped
__sys_trace_return:
str r0, [sp, #S_R0 + S_OFF]! @ save returned r0
+__sys_trace_return_skipped:
mov r0, sp
bl syscall_trace_exit
b ret_slow_syscall
diff --git a/arch/arm/kernel/ptrace.c b/arch/arm/kernel/ptrace.c
index 0c27ed6..f3339c8 100644
--- a/arch/arm/kernel/ptrace.c
+++ b/arch/arm/kernel/ptrace.c
@@ -928,9 +928,13 @@ static void tracehook_report_syscall(struct pt_regs *regs,
regs->ARM_ip = ip;
}
+extern int arm_syscall(int, struct pt_regs *);
+
asmlinkage int syscall_trace_enter(struct pt_regs *regs, int scno)
{
- current_thread_info()->syscall = scno;
+ int orig_scno;
+
+ current_thread_info()->syscall = orig_scno = scno;
/* Do the secure computing check first; failures should be fast. */
if (secure_computing(scno) == -1)
@@ -947,6 +951,10 @@ asmlinkage int syscall_trace_enter(struct pt_regs *regs, int scno)
audit_syscall_entry(AUDIT_ARCH_ARM, scno, regs->ARM_r0, regs->ARM_r1,
regs->ARM_r2, regs->ARM_r3);
+ /* user-issued syscall of -1 */
+ if (scno == -1 && orig_scno == -1)
+ arm_syscall(scno, regs);
+
return scno;
}
--
1.7.9.5
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists