lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <0f6212c1-7034-42f4-ba77-10e9ec52a4f5@arm.com>
Date: Tue, 27 Jan 2026 16:06:58 +0100
From: Kevin Brodsky <kevin.brodsky@....com>
To: Jinjie Ruan <ruanjinjie@...wei.com>, Will Deacon <will@...nel.org>
Cc: catalin.marinas@....com, oleg@...hat.com, tglx@...utronix.de,
 peterz@...radead.org, luto@...nel.org, shuah@...nel.org, kees@...nel.org,
 wad@...omium.org, macro@...am.me.uk, charlie@...osinc.com,
 akpm@...ux-foundation.org, ldv@...ace.io, anshuman.khandual@....com,
 mark.rutland@....com, thuth@...hat.com, song@...nel.org,
 ryan.roberts@....com, ada.coupriediaz@....com, broonie@...nel.org,
 liqiang01@...inos.cn, pengcan@...inos.cn, kmal@...k.li, dvyukov@...gle.com,
 richard.weiyang@...il.com, reddybalavignesh9979@...il.com,
 linux-arm-kernel@...ts.infradead.org, linux-kernel@...r.kernel.org,
 linux-kselftest@...r.kernel.org
Subject: Re: [PATCH v10 05/16] arm64: ptrace: Move rseq_syscall() before
 audit_syscall_exit()

On 27/01/2026 12:34, Jinjie Ruan wrote:
>> [...]
>>
>>>  I'm also concerned that rseq_debug_update_user_cs()
>>> operates on instruction_pointer(regs) which is something that can be
>>> chaned by ptrace.
>> Isn't that true regardless of where rseq_syscall() is called on the
>> syscall exit path, though?
> My understanding is that if instruction_pointer(regs) is hijacked and
> modified via ptrace at the syscall exit (ptrace_report_syscall_exit()),
> this modification will not be observed by rseq. Specifically, in the
> generic entry syscall exit path, rseq_syscall() is unable to detect such
> a PC modification.

Good point. So concretely that means that currently on arm64, one could
make the rseq debug check pass/fail by using the syscall exit trap to
modify PC. OTOH this is impossible with generic entry because the rseq
check is performed first. I'm not sure this is a feature anyone has even
noticed, but it is a user-visible change indeed.

- Kevin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ