From: Tony Jones <tonyj@suse.de>
To: Paul Moore <paul.moore@hp.com>
Cc: linux-audit@redhat.com
Subject: Re: Audit not recording the correct syscall return value in Fedora 10?
Date: Tue, 5 May 2009 11:08:45 -0700 [thread overview]
Message-ID: <20090505180845.GA8722@suse.de> (raw)
In-Reply-To: <200904071134.35379.paul.moore@hp.com>
On Tue, Apr 07, 2009 at 11:34:35AM -0400, Paul Moore wrote:
> While doing some testing on Fedora 10 using the 2.6.27.5-117.fc10.x86_64
> kernel I stumbled across a rather odd problem: somewhere between the end of
> sys_sendto() and audit_syscall_exit() the syscall's return value was changing
> resulting in incorrect audit records (similar problems with sys_sendmsg()).
> After some head scratching and debugging I determined that the %rax register
> was being altered at some point and if we reloaded the syscall's return value
> from the stack before calling audit_syscall_exit() we could avoid the problem
> (see patch below).
>
> I also tried to reproduce the problem with a vanilla 2.6.29.1 kernel and after
> several hours of testing I have yet to see the problem using the newer,
> upstream kernel. Taking a look at the entry_64.S files of the two kernels
> there appear to be a number of changes, the most significant are the tracing
> changes but I'm not familiar enough with this chunk of code to identify the
> definitive root cause (although, tracing changes does sound reasonable).
>
> Does anyone have any thoughts?
I have seen a similar issue with the init_module syscall on x86_64. I have an
open bug on it.
for i in `seq 1 100`; do cat /dev/null > /var/log/audit/audit.log ; rmmod dummy
; rcauditd restart ; auditctl -a entry,always -S init_module ; modprobe dummy ;
ausearch -c modprobe; done
Randomly you'll get a bogus return code in audit, on a DL375 needed 1000 iter
to reproduce.
type=SYSCALL msg=audit(1235061247.598:22697): arch=c000003e syscall=175
success=no exit=1490771928 a0=7fe11dc61000 a1=1e08 a2=61a1e0 a3=61a1e0 items=0
ppid=31342 pid=8313 auid=1001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=pts3 ses=2 comm="modprobe" exe="/sbin/modprobe" key=(null)
I keep meaning to get back to debugging it.
Tony
next prev parent reply other threads:[~2009-05-05 18:08 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-04-07 15:34 Audit not recording the correct syscall return value in Fedora 10? Paul Moore
2009-04-08 2:44 ` Klaus Heinrich Kiwi
2009-04-08 21:38 ` Paul Moore
2009-05-05 18:15 ` Tony Jones
2009-05-05 18:08 ` Tony Jones [this message]
2009-05-05 18:22 ` Paul Moore
2009-05-05 19:07 ` Tony Jones
2009-05-05 19:20 ` Paul Moore
2009-05-05 19:34 ` Tony Jones
2009-05-05 19:50 ` Paul Moore
2009-05-07 23:05 ` Tony Jones
2009-05-08 13:22 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090505180845.GA8722@suse.de \
--to=tonyj@suse.de \
--cc=linux-audit@redhat.com \
--cc=paul.moore@hp.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.