From: Kees Cook <keescook@chromium.org>
To: Michael Ellerman <mpe@ellerman.id.au>
Cc: Thomas Gleixner <tglx@linutronix.de>,
Robert O'Callahan <rocallahan@gmail.com>,
LKML <linux-kernel@vger.kernel.org>,
"maintainer:X86 ARCHITECTURE (32-BIT AND 64-BIT)"
<x86@kernel.org>,
linux-arch@vger.kernel.org, Will Deacon <will@kernel.org>,
Arnd Bergmann <arnd@arndb.de>,
Mark Rutland <mark.rutland@arm.com>,
Keno Fischer <keno@juliacomputing.com>,
Paolo Bonzini <pbonzini@redhat.com>,
kvm list <kvm@vger.kernel.org>,
Gabriel Krisman Bertazi <krisman@collabora.com>,
Sean Christopherson <sean.j.christopherson@intel.com>,
Kyle Huey <me@kylehuey.com>
Subject: Re: [REGRESSION] x86/entry: Tracer no longer has opportunity to change the syscall number at entry via orig_ax
Date: Fri, 11 Sep 2020 11:58:30 -0700 [thread overview]
Message-ID: <202009111156.660A7C2978@keescook> (raw)
In-Reply-To: <87a6xzrr89.fsf@mpe.ellerman.id.au>
On Wed, Sep 09, 2020 at 11:53:42PM +1000, Michael Ellerman wrote:
> Hi Thomas,
>
> Sorry if this was discussed already somewhere, but I didn't see anything ...
>
> Thomas Gleixner <tglx@linutronix.de> writes:
> > On Wed, Aug 19 2020 at 10:14, Kyle Huey wrote:
> >> tl;dr: after 27d6b4d14f5c3ab21c4aef87dd04055a2d7adf14 ptracer
> >> modifications to orig_ax in a syscall entry trace stop are not honored
> >> and this breaks our code.
> ...
> > diff --git a/kernel/entry/common.c b/kernel/entry/common.c
> > index 9852e0d62d95..fcae019158ca 100644
> > --- a/kernel/entry/common.c
> > +++ b/kernel/entry/common.c
> > @@ -65,7 +65,8 @@ static long syscall_trace_enter(struct pt_regs *regs, long syscall,
>
> Adding context:
>
> /* Do seccomp after ptrace, to catch any tracer changes. */
> if (ti_work & _TIF_SECCOMP) {
> ret = __secure_computing(NULL);
> if (ret == -1L)
> return ret;
> }
>
> if (unlikely(ti_work & _TIF_SYSCALL_TRACEPOINT))
> trace_sys_enter(regs, syscall);
>
> > syscall_enter_audit(regs, syscall);
> >
> > - return ret ? : syscall;
> > + /* The above might have changed the syscall number */
> > + return ret ? : syscall_get_nr(current, regs);
> > }
> >
> > noinstr long syscall_enter_from_user_mode(struct pt_regs *regs, long syscall)
>
> I noticed if the syscall number is changed by seccomp/ptrace, the
> original syscall number is still passed to trace_sys_enter() and audit.
>
> The old code used regs->orig_ax, so any change to the syscall number
> would be seen by the tracepoint and audit.
Ah! That's no good.
> I can observe the difference between v5.8 and mainline, using the
> raw_syscall trace event and running the seccomp_bpf selftest which turns
> a getpid (39) into a getppid (110).
>
> With v5.8 we see getppid on entry and exit:
>
> seccomp_bpf-1307 [000] .... 22974.874393: sys_enter: NR 110 (7ffff22c46e0, 40a350, 4, fffffffffffff7ab, 7fa6ee0d4010, 0)
> seccomp_bpf-1307 [000] .N.. 22974.874401: sys_exit: NR 110 = 1304
>
> Whereas on mainline we see an enter for getpid and an exit for getppid:
>
> seccomp_bpf-1030 [000] .... 21.806766: sys_enter: NR 39 (7ffe2f6d1ad0, 40a350, 7ffe2f6d1ad0, 0, 0, 407299)
> seccomp_bpf-1030 [000] .... 21.806767: sys_exit: NR 110 = 1027
>
>
> I don't know audit that well, but I think it saves the syscall number on
> entry eg. in __audit_syscall_entry(). So it will record the wrong
> syscall happening in this case I think.
>
> Seems like we should reload the syscall number before calling
> trace_sys_enter() & audit ?
Agreed. I wonder what the best way to build a regression test for this
is... hmmm.
--
Kees Cook
next prev parent reply other threads:[~2020-09-11 18:58 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-19 17:14 [REGRESSION] x86/entry: Tracer no longer has opportunity to change the syscall number at entry via orig_ax Kyle Huey
2020-08-19 19:44 ` Thomas Gleixner
2020-08-20 17:26 ` Kyle Huey
2020-08-20 21:09 ` Kees Cook
2020-08-21 0:35 ` Thomas Gleixner
2020-08-21 14:21 ` [tip: core/urgent] core/entry: Respect syscall number rewrites tip-bot2 for Thomas Gleixner
[not found] ` <87a6xzrr89.fsf@mpe.ellerman.id.au>
2020-09-11 18:58 ` Kees Cook [this message]
2020-09-12 0:10 ` [REGRESSION] x86/entry: Tracer no longer has opportunity to change the syscall number at entry via orig_ax Kees Cook
2020-09-13 7:44 ` Michael Ellerman
2020-09-13 18:27 ` Thomas Gleixner
2020-09-14 20:04 ` Kees Cook
2020-09-17 0:39 ` Michael Ellerman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202009111156.660A7C2978@keescook \
--to=keescook@chromium.org \
--cc=arnd@arndb.de \
--cc=keno@juliacomputing.com \
--cc=krisman@collabora.com \
--cc=kvm@vger.kernel.org \
--cc=linux-arch@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mark.rutland@arm.com \
--cc=me@kylehuey.com \
--cc=mpe@ellerman.id.au \
--cc=pbonzini@redhat.com \
--cc=rocallahan@gmail.com \
--cc=sean.j.christopherson@intel.com \
--cc=tglx@linutronix.de \
--cc=will@kernel.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.