From: takahiro.akashi@linaro.org (AKASHI Takahiro)
To: linux-arm-kernel@lists.infradead.org
Subject: [PATCH v5 1/3] arm64: ptrace: reload a syscall number after ptrace operations
Date: Tue, 29 Jul 2014 15:49:47 +0900 [thread overview]
Message-ID: <53D7440B.10006@linaro.org> (raw)
In-Reply-To: <20140725110342.GD5269@arm.com>
On 07/25/2014 08:03 PM, Will Deacon wrote:
> On Fri, Jul 25, 2014 at 11:36:49AM +0100, AKASHI Takahiro wrote:
>> On 07/25/2014 12:01 AM, Andy Lutomirski wrote:
>>>>> If so, then you risk (at least) introducing
>>>>>
>>>>> a nice user-triggerable OOPS if audit is enabled.
>>>>
>>>>
>>>> Can you please elaborate this?
>>>> Since I didn't find any definition of audit's behavior when syscall is
>>>> rewritten to -1, I thought it is reasonable to skip "exit tracing" of
>>>> "skipped" syscall.
>>>> (otherwise, "fake" seems to be more appropriate :)
>>>
>>> The audit entry hook will oops if you call it twice in a row without
>>> calling the exit hook in between.
>>
>> Thank you, I could reproduce this problem which hits BUG(in_syscall) in
>> audit_syscall_entry(). Really bad, and I fixed it in my next version and
>> now a "skipped" system call is also traced by audit.
>
> Can you reproduce this on arch/arm/ too? If so, we should also fix the code
> there.
As far as I tried on arm with syscall auditing enabled,
1) Changing a syscall number to -1 under seccomp doesn't hit BUG_ON(in_syscall).
2) But, in fact, audit_syscall_entry() is NOT called in this case because
__secure_computing() returns -1 and then it causes the succeeding tracing
in syscall_trace_enter(), including audit_syscall_entry(), skipped.
3) On the other hand, calling syscall(-1) from userspace hits BUG_ON because
the return path, ret_slow_syscall, doesn't contain syscall_trace_exit().
4) When we re-write a syscall number to -1 without seccomp, we will also see
BUG_ON hit, although I didn't try yet.
Fixing case 3 is easy, but should we also fix case 2?
Please note that, even if we call audit_syscall_exit() in case 2 or 3, no log against
syscall -1 will be recorded because audit_filter_syscall() doesn't allow logging
for any syscall number which is greater than 2048.
This behavior was introduced by Andy's patch, a3c54931, in v3.16-rc.
If the intention of "-1" is to fake a system call, this behavior seems to be a bit odd.
Thanks,
-Takahiro AKASHI
> Will
>
WARNING: multiple messages have this Message-ID (diff)
From: AKASHI Takahiro <takahiro.akashi@linaro.org>
To: Will Deacon <will.deacon@arm.com>
Cc: Andy Lutomirski <luto@amacapital.net>,
Deepak Saxena <dsaxena@linaro.org>,
Will Drewry <wad@chromium.org>, Kees Cook <keescook@chromium.org>,
"linaro-kernel@lists.linaro.org" <linaro-kernel@lists.linaro.org>,
"linux-arm-kernel@lists.infradead.org"
<linux-arm-kernel@lists.infradead.org>,
Catalin Marinas <Catalin.Marinas@arm.com>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH v5 1/3] arm64: ptrace: reload a syscall number after ptrace operations
Date: Tue, 29 Jul 2014 15:49:47 +0900 [thread overview]
Message-ID: <53D7440B.10006@linaro.org> (raw)
In-Reply-To: <20140725110342.GD5269@arm.com>
On 07/25/2014 08:03 PM, Will Deacon wrote:
> On Fri, Jul 25, 2014 at 11:36:49AM +0100, AKASHI Takahiro wrote:
>> On 07/25/2014 12:01 AM, Andy Lutomirski wrote:
>>>>> If so, then you risk (at least) introducing
>>>>>
>>>>> a nice user-triggerable OOPS if audit is enabled.
>>>>
>>>>
>>>> Can you please elaborate this?
>>>> Since I didn't find any definition of audit's behavior when syscall is
>>>> rewritten to -1, I thought it is reasonable to skip "exit tracing" of
>>>> "skipped" syscall.
>>>> (otherwise, "fake" seems to be more appropriate :)
>>>
>>> The audit entry hook will oops if you call it twice in a row without
>>> calling the exit hook in between.
>>
>> Thank you, I could reproduce this problem which hits BUG(in_syscall) in
>> audit_syscall_entry(). Really bad, and I fixed it in my next version and
>> now a "skipped" system call is also traced by audit.
>
> Can you reproduce this on arch/arm/ too? If so, we should also fix the code
> there.
As far as I tried on arm with syscall auditing enabled,
1) Changing a syscall number to -1 under seccomp doesn't hit BUG_ON(in_syscall).
2) But, in fact, audit_syscall_entry() is NOT called in this case because
__secure_computing() returns -1 and then it causes the succeeding tracing
in syscall_trace_enter(), including audit_syscall_entry(), skipped.
3) On the other hand, calling syscall(-1) from userspace hits BUG_ON because
the return path, ret_slow_syscall, doesn't contain syscall_trace_exit().
4) When we re-write a syscall number to -1 without seccomp, we will also see
BUG_ON hit, although I didn't try yet.
Fixing case 3 is easy, but should we also fix case 2?
Please note that, even if we call audit_syscall_exit() in case 2 or 3, no log against
syscall -1 will be recorded because audit_filter_syscall() doesn't allow logging
for any syscall number which is greater than 2048.
This behavior was introduced by Andy's patch, a3c54931, in v3.16-rc.
If the intention of "-1" is to fake a system call, this behavior seems to be a bit odd.
Thanks,
-Takahiro AKASHI
> Will
>
next prev parent reply other threads:[~2014-07-29 6:49 UTC|newest]
Thread overview: 72+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-07-22 9:14 [PATCH v5 0/3] arm64: Add seccomp support AKASHI Takahiro
2014-07-22 9:14 ` AKASHI Takahiro
2014-07-22 9:14 ` [PATCH v5 1/3] arm64: ptrace: reload a syscall number after ptrace operations AKASHI Takahiro
2014-07-22 9:14 ` AKASHI Takahiro
2014-07-22 20:15 ` Kees Cook
2014-07-22 20:15 ` Kees Cook
2014-07-23 7:03 ` AKASHI Takahiro
2014-07-23 7:03 ` AKASHI Takahiro
2014-07-23 8:25 ` Will Deacon
2014-07-23 8:25 ` Will Deacon
2014-07-23 9:09 ` AKASHI Takahiro
2014-07-23 9:09 ` AKASHI Takahiro
2014-07-23 15:13 ` Kees Cook
2014-07-23 15:13 ` Kees Cook
2014-07-24 3:54 ` Andy Lutomirski
2014-07-24 3:54 ` Andy Lutomirski
2014-07-24 5:57 ` AKASHI Takahiro
2014-07-24 5:57 ` AKASHI Takahiro
2014-07-24 15:01 ` Andy Lutomirski
2014-07-24 15:01 ` Andy Lutomirski
2014-07-25 10:36 ` AKASHI Takahiro
2014-07-25 10:36 ` AKASHI Takahiro
2014-07-25 11:03 ` Will Deacon
2014-07-25 11:03 ` Will Deacon
2014-07-29 6:49 ` AKASHI Takahiro [this message]
2014-07-29 6:49 ` AKASHI Takahiro
2014-07-29 13:26 ` Will Deacon
2014-07-29 13:26 ` Will Deacon
2014-07-22 9:14 ` [PATCH v5 2/3] asm-generic: Add generic seccomp.h for secure computing mode 1 AKASHI Takahiro
2014-07-22 9:14 ` AKASHI Takahiro
2014-07-24 3:40 ` Andy Lutomirski
2014-07-24 3:40 ` Andy Lutomirski
2014-07-24 4:41 ` Kees Cook
2014-07-24 4:41 ` Kees Cook
2014-07-24 5:17 ` AKASHI Takahiro
2014-07-24 5:17 ` AKASHI Takahiro
2014-07-24 14:57 ` Andy Lutomirski
2014-07-24 14:57 ` Andy Lutomirski
2014-07-25 8:52 ` AKASHI Takahiro
2014-07-25 8:52 ` AKASHI Takahiro
2014-07-22 9:14 ` [PATCH v5 3/3] arm64: Add seccomp support AKASHI Takahiro
2014-07-22 9:14 ` AKASHI Takahiro
2014-07-24 3:52 ` Andy Lutomirski
2014-07-24 3:52 ` Andy Lutomirski
2014-07-24 5:40 ` AKASHI Takahiro
2014-07-24 5:40 ` AKASHI Takahiro
2014-07-24 15:00 ` Andy Lutomirski
2014-07-24 15:00 ` Andy Lutomirski
2014-07-24 15:16 ` Catalin Marinas
2014-07-24 15:16 ` Catalin Marinas
2014-07-25 9:37 ` AKASHI Takahiro
2014-07-25 9:37 ` AKASHI Takahiro
2014-08-05 15:08 ` Kees Cook
2014-08-05 15:08 ` Kees Cook
2014-08-08 7:35 ` AKASHI Takahiro
2014-08-08 7:35 ` AKASHI Takahiro
2014-08-11 9:24 ` Will Deacon
2014-08-11 9:24 ` Will Deacon
2014-08-12 6:57 ` AKASHI Takahiro
2014-08-12 6:57 ` AKASHI Takahiro
2014-08-12 9:40 ` Will Deacon
2014-08-12 9:40 ` Will Deacon
2014-08-12 11:17 ` AKASHI Takahiro
2014-08-12 11:17 ` AKASHI Takahiro
2014-08-15 14:33 ` Will Deacon
2014-08-15 14:33 ` Will Deacon
2014-07-22 20:16 ` [PATCH v5 0/3] " Kees Cook
2014-07-22 20:16 ` Kees Cook
2014-07-23 7:09 ` AKASHI Takahiro
2014-07-23 7:09 ` AKASHI Takahiro
2014-07-23 15:36 ` Kees Cook
2014-07-23 15:36 ` Kees Cook
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=53D7440B.10006@linaro.org \
--to=takahiro.akashi@linaro.org \
--cc=linux-arm-kernel@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.