From: Thomas Gleixner <tglx@kernel.org>
To: Jinjie Ruan <ruanjinjie@huawei.com>,
peterz@infradead.org, luto@kernel.org, kees@kernel.org,
wad@chromium.org, linux-kernel@vger.kernel.org
Cc: ruanjinjie@huawei.com
Subject: Re: [PATCH RESEND] entry: Fix seccomp bypass after ptrace with TSYNC
Date: Sun, 12 Jul 2026 12:08:53 +0200 [thread overview]
Message-ID: <874ii4r03u.ffs@fw13> (raw)
In-Reply-To: <20260709073030.3844316-1-ruanjinjie@huawei.com>
On Thu, Jul 09 2026 at 15:30, Jinjie Ruan wrote:
> Sashiko review pointed out the following issue[1].
>
> If a thread is stopped in syscall_trace_enter() for ptrace, another
> thread can install a seccomp filter with SECCOMP_FILTER_FLAG_TSYNC
> (e.g., via seccomp_attach_filter()). This will successfully set
> SYSCALL_WORK_SECCOMP on the stopped thread, but syscall_trace_enter()
> evaluates a cached 'work' variable sampled on entry. Consequently,
> the subsequent check for SYSCALL_WORK_SECCOMP misses the newly
> assigned flag, and the filter is silently bypassed.
>
> This race condition could allow an unprivileged process to execute
> a prohibited system call (e.g., execve) that the newly installed filter
> was intended to block, especially since the tracer might have modified
> the system call number during the ptrace stop.
>
> Fix this by replacing the cached seccomp check with a call to
> seccomp_permit_syscall(), which re-reads the thread's up-to-date
> TIF_SECCOMP flag and thus correctly observes the flag if it was set
> during the ptrace stop.
No, we are not doing this unconditionally.
Thanks,
tglx
---
--- a/include/linux/entry-common.h
+++ b/include/linux/entry-common.h
@@ -98,6 +98,8 @@ static __always_inline long syscall_trac
ret = arch_ptrace_report_syscall_entry(regs);
if (ret || (work & SYSCALL_WORK_SYSCALL_EMU))
return -1L;
+ /* ptrace might have changed work flags */
+ work = READ_ONCE(current_thread_info()->syscall_work);
}
/* Do seccomp after ptrace, to catch any tracer changes. */
next prev parent reply other threads:[~2026-07-12 10:08 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-09 7:30 [PATCH RESEND] entry: Fix seccomp bypass after ptrace with TSYNC Jinjie Ruan
2026-07-12 10:08 ` Thomas Gleixner [this message]
2026-07-13 2:40 ` Jinjie Ruan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=874ii4r03u.ffs@fw13 \
--to=tglx@kernel.org \
--cc=kees@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=peterz@infradead.org \
--cc=ruanjinjie@huawei.com \
--cc=wad@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.