lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <6ff5d366-3a2d-089b-5ac7-e40b81a8664c@huawei.com>
Date: Wed, 28 Jan 2026 09:09:35 +0800
From: Jinjie Ruan <ruanjinjie@...wei.com>
To: Kevin Brodsky <kevin.brodsky@....com>, Will Deacon <will@...nel.org>
CC: <catalin.marinas@....com>, <oleg@...hat.com>, <tglx@...utronix.de>,
	<peterz@...radead.org>, <luto@...nel.org>, <shuah@...nel.org>,
	<kees@...nel.org>, <wad@...omium.org>, <macro@...am.me.uk>,
	<charlie@...osinc.com>, <akpm@...ux-foundation.org>, <ldv@...ace.io>,
	<anshuman.khandual@....com>, <mark.rutland@....com>, <thuth@...hat.com>,
	<song@...nel.org>, <ryan.roberts@....com>, <ada.coupriediaz@....com>,
	<broonie@...nel.org>, <liqiang01@...inos.cn>, <pengcan@...inos.cn>,
	<kmal@...k.li>, <dvyukov@...gle.com>, <richard.weiyang@...il.com>,
	<reddybalavignesh9979@...il.com>, <linux-arm-kernel@...ts.infradead.org>,
	<linux-kernel@...r.kernel.org>, <linux-kselftest@...r.kernel.org>
Subject: Re: [PATCH v10 05/16] arm64: ptrace: Move rseq_syscall() before
 audit_syscall_exit()



On 2026/1/27 23:06, Kevin Brodsky wrote:
> On 27/01/2026 12:34, Jinjie Ruan wrote:
>>> [...]
>>>
>>>>  I'm also concerned that rseq_debug_update_user_cs()
>>>> operates on instruction_pointer(regs) which is something that can be
>>>> chaned by ptrace.
>>> Isn't that true regardless of where rseq_syscall() is called on the
>>> syscall exit path, though?
>> My understanding is that if instruction_pointer(regs) is hijacked and
>> modified via ptrace at the syscall exit (ptrace_report_syscall_exit()),
>> this modification will not be observed by rseq. Specifically, in the
>> generic entry syscall exit path, rseq_syscall() is unable to detect such
>> a PC modification.
> 
> Good point. So concretely that means that currently on arm64, one could
> make the rseq debug check pass/fail by using the syscall exit trap to
> modify PC. OTOH this is impossible with generic entry because the rseq
> check is performed first. I'm not sure this is a feature anyone has even
> noticed, but it is a user-visible change indeed.

After digging into the ptrace code, I found that ptrace does not modify
instruction_pointer(regs) on the syscall exit path; it only changes the
return value as below.
Therefore, if my understanding is correct, Will's concern does not apply
here.

ptrace_set_syscall_info()
  -> ptrace_set_syscall_info_exit()
     -> syscall_set_return_value(child, regs, 0, rval)


Regards,
Jinjie

> 
> - Kevin
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ