From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-20.2 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,MENTIONS_GIT_HOSTING,MSGID_FROM_MTA_HEADER,NICE_REPLY_A, SPF_HELO_NONE,SPF_PASS,USER_AGENT_SANE_1 autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 09BFCC433B4 for ; Wed, 12 May 2021 12:15:37 +0000 (UTC) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 28EEB61285 for ; Wed, 12 May 2021 12:15:36 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 28EEB61285 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=windriver.com Authentication-Results: mail.kernel.org; spf=tempfail smtp.mailfrom=linux-audit-bounces@redhat.com Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-300-3q36DAt-MIGQAszo-41gIw-1; Wed, 12 May 2021 08:15:32 -0400 X-MC-Unique: 3q36DAt-MIGQAszo-41gIw-1 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 1DFAF802ED4; Wed, 12 May 2021 12:15:29 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id CE7BF5D6A8; Wed, 12 May 2021 12:15:27 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id E332A1800BB0; Wed, 12 May 2021 12:15:24 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 14C8hVON030966 for ; Wed, 12 May 2021 04:43:32 -0400 Received: by smtp.corp.redhat.com (Postfix) id EEE9320B6650; Wed, 12 May 2021 08:43:30 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast06.extmail.prod.ext.rdu2.redhat.com [10.11.55.22]) by smtp.corp.redhat.com (Postfix) with ESMTPS id E895120B6657 for ; Wed, 12 May 2021 08:43:25 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [207.211.31.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 9914F18E0925 for ; Wed, 12 May 2021 08:43:25 +0000 (UTC) Received: from NAM11-BN8-obe.outbound.protection.outlook.com (mail-bn8nam11on2049.outbound.protection.outlook.com [40.107.236.49]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-219-FatOqr12NkaHKTE5ZPf5-A-1; Wed, 12 May 2021 04:43:19 -0400 X-MC-Unique: FatOqr12NkaHKTE5ZPf5-A-1 Received: from MWHPR1101MB2351.namprd11.prod.outlook.com (2603:10b6:300:74::18) by MWHPR11MB2000.namprd11.prod.outlook.com (2603:10b6:300:2b::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4129.25; Wed, 12 May 2021 08:43:16 +0000 Received: from MWHPR1101MB2351.namprd11.prod.outlook.com ([fe80::c156:455d:860e:ba87]) by MWHPR1101MB2351.namprd11.prod.outlook.com ([fe80::c156:455d:860e:ba87%4]) with mapi id 15.20.4129.026; Wed, 12 May 2021 08:43:16 +0000 Subject: Re: [PATCH v2 3/3] audit: Use syscall_get_return_value to get syscall return code in audit_syscall_exit To: Paul Moore References: <20210423103533.30121-1-zhe.he@windriver.com> <20210423103533.30121-3-zhe.he@windriver.com> From: He Zhe Message-ID: Date: Wed, 12 May 2021 16:43:08 +0800 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0 In-Reply-To: X-Originating-IP: [60.247.85.82] X-ClientProxiedBy: PH0PR07CA0012.namprd07.prod.outlook.com (2603:10b6:510:5::17) To MWHPR1101MB2351.namprd11.prod.outlook.com (2603:10b6:300:74::18) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from [128.224.162.175] (60.247.85.82) by PH0PR07CA0012.namprd07.prod.outlook.com (2603:10b6:510:5::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4108.25 via Frontend Transport; Wed, 12 May 2021 08:43:13 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 8c69cdee-4e66-4df5-333c-08d91521fc2a X-MS-TrafficTypeDiagnostic: MWHPR11MB2000: X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:9508 X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0 X-Microsoft-Antispam-Message-Info: jvfHk32XJYICkaAvtRbA0jzemMQnhy8EsAH4OHBYR3oBbgIDhZM9ponI8Ik3JPn8ta06pcJjCMMqA171MgcC3EIfH1G0w8XoohzAijeb74rwC+kgWVt2NNflFylUjECxBwfmhMHMuF6tzms69x6MncOcCTpI3Y0mO+EoP/JHZjmi9esNfoo8U5TekSGcbhINFH26EYagHzs0PTsdv4prorqLh9K9tScnoxSk4S2tWOoWSROj9HTJWsE/91WdvDE/rN7beOC6WQ5+xifmrY8ElgguTZUHZJP9uD+vxS5zc5MFExkgz1mKtwB3FGXclNCsYctBdqPME9tknV2LX03kA/3YU1KL6ck5kBH9S2a3OoVqrfQtINCNhk9fhMUQxCwMaq63ifA84DztVF9m+T9mrRDFaxg/rFGq+hTl6/v8uYsMriLsq2oyeRVMaFWK83rPuPsVCuChY4QgmMdaOwAzwjl00A2n3Re1Bxw2XciyV67E4fGu1LnT991+sAYfovYl7eoSpnYl1dPZhNbTHpB0D8kB5yyqsYx8jMJ2/ZxITniU8bHv36s/lEa/gl3s6ZIwoUu3iXo34FyucQSS0Id+wiNCR+67rM+ceUkyLVYFSK1sPnqnhPNXQ1AAgWDCtligkD5NmzTVQMvMOE2qtv08LMddZmh6xpkp+DAttLdTMBuC+VhmFPbF9105GUpUi71dXAxL6uzaIE0KHlyoP+WKm8H3MkLdQiCSliQ834cCYtInAaX0BWEsG9uInKcYQQe+OWDo55RWNX/zADAZ4EmUIeZ4D7XpLJOJuGAZiaMjXwGXnt4noSCRYRtaGnSDKzK7sXkWObSc/wQxj3E4qmpSWRpFGop65G2n7bFlpuFs3fs= X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MWHPR1101MB2351.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(376002)(39850400004)(366004)(136003)(396003)(346002)(186003)(16526019)(5660300002)(2906002)(956004)(26005)(2616005)(6706004)(8936002)(478600001)(4326008)(66946007)(66476007)(66556008)(966005)(6486002)(8676002)(38100700002)(38350700002)(6916009)(16576012)(31696002)(53546011)(83380400001)(316002)(6666004)(31686004)(86362001)(52116002)(36756003)(78286007)(43740500002)(45980500001); DIR:OUT; SFP:1101 X-MS-Exchange-AntiSpam-MessageData: =?utf-8?B?NnZJL2w4ODVWSHp3Y2hrMzRKcFU3cSs1WFhwZU9uSVFHaWVaVmorclQ1eHBS?= =?utf-8?B?cGU4MExYNkJ4emJxcnJNSWd4U2xsTDhhQTF1U1B0azloUnBuRU8vemZnOWo3?= =?utf-8?B?bzlROUM2a3RNUDh6V1Ewck8zMFRQWWpyZFFMZWFwWUNKUEZUc2I2THB0RXYy?= =?utf-8?B?LzVaclE1dXErTmdvZkpwdW1IMlhaK1drYkhYbGVDYU9jdy84RCtLbkQvMUJy?= =?utf-8?B?dzc3MTMyWmtLWVdmT0VBOU5xQ2VrbzdwSXhQVUFTQkpMWVBBeHkrWWd4V2s4?= =?utf-8?B?WW5HdkNlMTFVdmNHdUVEYnlzSEVJMWFCRExkbS93THNkYVk0L2xsQlhIRW1W?= =?utf-8?B?QU5hbVoveEFmRC9KdDRqaGhPYUcvcldZL3Bja01NNit3dWZnYjAyUTRycWh4?= =?utf-8?B?ZlBaRm1kQlZSYUdDU1ljcStKZ1g1ZFpVekU0Q3JxY3BLZWRJanVqK25mU3lE?= =?utf-8?B?cWQ2VkNiNUVFRVYrVnd2dlBITEZaZTFwVUFRWXo2Z0lrTHpRTmlkY29ZbzlO?= =?utf-8?B?bnJ1eWlIOHBOMTVSRnhHNGY4VDQxOXRLL0tvSkR0RWEwNUVHdFlBcWZYVlFw?= =?utf-8?B?K1NtL0dVcEFCaUlBN2ZLa29UWUhkUmxyQ2JDMWZlOHpCWndQTjlhZFRLdE5G?= =?utf-8?B?MEQ1WkVtOEtSUERzVDlwb0IvVHRTbHBYS0dLNUJTTFJhT1ZJamFOUElsQVBC?= =?utf-8?B?N2dSSjF3WHNqanV2dWY5c29vTzdHNlkxaHEvNlNYeHREWVY2eU5nMnhJT21q?= =?utf-8?B?a3RKVXQ0aDNRQnkrZE5nS0FVUklRWDhXdXdMNUJUQlJ6VkdUdWNjK0QreDhM?= =?utf-8?B?bGEvRTZFTHcvdDZYWEwwQTY3VHM4OS94T1hmdysxUm1lbG5SWGE2dzRTUUQ4?= =?utf-8?B?Z3NnQ0JMQUhPSkNON2EvK3d4YXJJc2dNbFNVSTd2ZlFxYXNuS3J1cE1pYUZU?= =?utf-8?B?RlRQaEYxdXpnTXNnV3NCOUoweGVyeEs4RFVEQVpmTysvWGdDRHBsNE8wZWw5?= =?utf-8?B?clNsb3QzdjJzeCtGWUZEYmJyejBmU3pnTVFJQnNIWGQ5a0lqMGlWMmM4SUxK?= =?utf-8?B?RS9YaVNHT040cmhYeXBSZTlwaEFMSlNlUURCMGFkeHRVWHNvcW5pODc2ZlV2?= =?utf-8?B?WGFXOVUvd1ZTOGFCLzNhaE9WQjhBYTlVRll2aWt3UzJjYXpjTmw2T2kxQVZX?= =?utf-8?B?NEFVY01hd2VrU2F5TVIydlptYk5HM1R0ZmptRkdnVUhNcU1GdnJzUkUyQlVZ?= =?utf-8?B?aE9vYnZ2OXl2Vm1qN0FkTHNWTjlYTHZnZDV4eG9makM0S3ZINmQ0QzdySXpY?= =?utf-8?B?S2thYkw0TGd3dVRVM01RWUxCRDBQQ05XQmhMSnVoSFhHYmwvZ1lzSFlFWUhJ?= =?utf-8?B?aitVOVlxMkhzTG9YbndmaGljSHIzWjhsdk1jR294Skt0czJoamJmZ0EzYkJW?= =?utf-8?B?S2dsNmxuUllDQmxrTFI0VU9lOTR0V29aaUhlR3U1b2puSkl1N1A3WU90UzZm?= =?utf-8?B?L3MyeEpiRWIvVXpad2Z2SDBaa1JMUU11YVVXZWtVRVc2MDlKUUxqcEw3dm8y?= =?utf-8?B?SURiTnJURnZwUC9Td2RXR0cvNUpRZXgzM2tWcUl3YTZ4aDduU0U5VEN5aUF2?= =?utf-8?B?R1hzZkdsK3FIV2dRQW1CcVdxbUhCQTJZL3VYTGFLTjAwNU5rMDhFMnVVY2d5?= =?utf-8?B?ZVgrdjhJcEJweUdJa1ZPdUFUVzI4VHg3Si8rOGxldEpIQk1iT0pZV1NQaEpG?= =?utf-8?Q?xm0dB6GZFHfBA8FCA+ilYrwRknF2Qjh2AR0H9pe?= X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: 8c69cdee-4e66-4df5-333c-08d91521fc2a X-MS-Exchange-CrossTenant-AuthSource: MWHPR1101MB2351.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 12 May 2021 08:43:16.2442 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: vuz1kDDIbIpON1FMsjJNxVSLZdUM9zV/bMpd+8gaYyUubN4+rb/im4isAB17qSABgp4NdcCD3vVBLxUjZv4IqQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR11MB2000 X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-loop: linux-audit@redhat.com X-Mailman-Approved-At: Wed, 12 May 2021 08:15:01 -0400 Cc: catalin.marinas@arm.com, oleg@redhat.com, Eric Paris , linux-kernel@vger.kernel.org, linux-audit@redhat.com, will@kernel.org, linux-arm-kernel@lists.infradead.org X-BeenThere: linux-audit@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Linux Audit Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=linux-audit-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit On 5/11/21 10:51 PM, Paul Moore wrote: > On Mon, May 10, 2021 at 11:19 PM He Zhe wrote: >> On 5/11/21 6:38 AM, Paul Moore wrote: >>> On Fri, Apr 23, 2021 at 6:36 AM He Zhe wrote: >>>> regs_return_value for some architectures like arm64 simply retrieve >>>> register value from pt_regs without sign extension in 32-bit compatible >>>> case and cause audit to have false syscall return code. For example, >>>> 32-bit -13 would be treated as 4294967283 below. >>>> >>>> type=SYSCALL msg=audit(1611110715.887:582): arch=40000028 syscall=322 >>>> success=yes exit=4294967283 >>>> >>>> We just added proper sign extension in syscall_get_return_value which >>>> should be used instead. >>>> >>>> Signed-off-by: He Zhe >>>> --- >>>> v1 to v2: No change >>>> >>>> include/linux/audit.h | 2 +- >>>> 1 file changed, 1 insertion(+), 1 deletion(-) >>> Perhaps I missed it but did you address the compile error that was >>> found by the kernel test robot? >> I sent a patch adding syscall_get_return_value for alpha to fix this bot warning. >> https://lore.kernel.org/lkml/20210426091629.45020-1-zhe.he@windriver.com/ >> which can be found in this mail thread. > At the very least you should respin the patchset with the alpha fix > included in the patchset; it's a bit messy otherwise. > >>>> diff --git a/include/linux/audit.h b/include/linux/audit.h >>>> index 82b7c1116a85..135adbe22c19 100644 >>>> --- a/include/linux/audit.h >>>> +++ b/include/linux/audit.h >>>> @@ -334,7 +334,7 @@ static inline void audit_syscall_exit(void *pt_regs) >>>> { >>>> if (unlikely(audit_context())) { >>>> int success = is_syscall_success(pt_regs); >>> Since we are shifting to use syscall_get_return_value() below, would >>> it also make sense to shift to using syscall_get_error() here instead >>> of is_syscall_success()? >> In [PATCH v2 1/3], is_syscall_success calls syscall_get_return_value to take >> care of the sign extension issue. Keeping using is_syscall_success is to not >> potentially changing other architectures' behavior. > That was only for aarch64, right? What about all the other > architectures? The comment block for syscall_get_return_value() > advises that syscall_get_error() should be used and that appears to be > what is done in the ptrace code. Yes, it was only for aarch64. No similar issue hasn't observed for other architectures on my side, so I was trying to minimize the impact. The "comment block" you mentioned is the following line, right? https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/asm-generic/syscall.h#n77 [PATCH v2 2/3] was used to cover this concern. But as we can see in Mark Rutland's last reply, there'are more things to be considered and we are still trying to find a proper solution. Thanks, Zhe > -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit