From: sashiko-bot@kernel.org
To: "Jinjie Ruan" <ruanjinjie@huawei.com>
Cc: "Vasily Gorbik" <gor@linux.ibm.com>,
linux-s390@vger.kernel.org, "Heiko Carstens" <hca@linux.ibm.com>,
"Alexander Gordeev" <agordeev@linux.ibm.com>
Subject: Re: [PATCH v16 05/18] arm64: ptrace: Expand secure_computing() in place
Date: Mon, 29 Jun 2026 13:29:13 +0000 [thread overview]
Message-ID: <20260629132914.1135C1F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260629130616.642022-6-ruanjinjie@huawei.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] Open-coding the seccomp check using a cached `flags` variable creates a Time-of-Check to Time-of-Use (TOCTOU) vulnerability during ptrace stops, allowing a seccomp filter installed via TSYNC to be bypassed.
--
commit 138e96f2aef98ac6348b34ceeb3157f77bd0f2f7
Author: Jinjie Ruan <ruanjinjie@huawei.com>
arm64: ptrace: Expand secure_computing() in place
This commit refactors syscall_trace_enter() by open-coding the seccomp
check to align with the generic entry framework. It explicitly checks
the flags parameter for _TIF_SECCOMP instead of calling the wrapper.
> diff --git a/arch/arm64/kernel/ptrace.c b/arch/arm64/kernel/ptrace.c
> index 863083de37c37..30df515528e8f 100644
> --- a/arch/arm64/kernel/ptrace.c
> +++ b/arch/arm64/kernel/ptrace.c
> @@ -2420,8 +2420,10 @@ int syscall_trace_enter(struct pt_regs *regs, unsigned long flags)
[ ... ]
> /* Do the secure computing after ptrace; failures should be fast. */
> - if (!secure_computing())
> - return NO_SYSCALL;
> + if (flags & _TIF_SECCOMP) {
> + if (!__secure_computing())
> + return NO_SYSCALL;
> + }
[Severity: High]
Does checking the cached 'flags' argument here instead of dynamically
reading the thread flags create a race condition?
If the current thread stops for ptrace earlier in syscall_trace_enter(),
and another thread installs a filter via seccomp with
SECCOMP_FILTER_FLAG_TSYNC while this thread is stopped, the newly set
_TIF_SECCOMP flag wouldn't be reflected in the local 'flags' variable.
Could this allow an unprivileged process to bypass a newly installed
seccomp filter for the current syscall, especially since the tracer might
modify the syscall number (e.g., to execve) during the ptrace stop?
As an additional detail, the generic entry code in include/linux/entry-common.h
seems to exhibit the same pattern by checking a cached 'work' variable passed
into syscall_trace_enter().
>
> /* Either of the above might have changed the syscall number */
> syscall = syscall_get_nr(current, regs);
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260629130616.642022-1-ruanjinjie@huawei.com?part=5
next prev parent reply other threads:[~2026-06-29 13:29 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-29 13:05 [PATCH v16 00/18] arm64: entry: Convert to Generic Entry Jinjie Ruan
2026-06-29 13:05 ` [PATCH v16 01/18] seccomp: Convert __secure_computing() to return boolean Jinjie Ruan
2026-06-29 13:16 ` sashiko-bot
2026-06-29 13:06 ` [PATCH v16 02/18] syscall_user_dispatch: Introduce a weak fallback for arch_syscall_is_vdso_sigreturn() Jinjie Ruan
2026-06-29 13:06 ` [PATCH v16 03/18] arm64: ptrace: Pass thread flags to syscall_trace_enter/exit() Jinjie Ruan
2026-06-29 13:06 ` [PATCH v16 04/18] arm64: ptrace: Use syscall_get_nr() helper for syscall_trace_enter() Jinjie Ruan
2026-06-29 13:06 ` [PATCH v16 05/18] arm64: ptrace: Expand secure_computing() in place Jinjie Ruan
2026-06-29 13:29 ` sashiko-bot [this message]
2026-06-29 13:06 ` [PATCH v16 06/18] arm64: ptrace: Use syscall_get_arguments() helper for audit Jinjie Ruan
2026-06-29 13:06 ` [PATCH v16 07/18] arm64: ptrace: Protect rseq_syscall() from tracer PC modifications Jinjie Ruan
2026-06-29 13:06 ` [PATCH v16 08/18] arm64: ptrace: Rename syscall_trace_exit() to syscall_exit_work() Jinjie Ruan
2026-06-29 13:06 ` [PATCH v16 09/18] arm64: syscall: Rework the syscall exit path in el0_svc_common() Jinjie Ruan
2026-06-29 13:06 ` [PATCH v16 10/18] arm64: ptrace: Extract syscall_exit_to_user_mode_work() helper Jinjie Ruan
2026-06-29 13:06 ` [PATCH v16 11/18] arm64: ptrace: Align syscall exit work semantics with generic entry Jinjie Ruan
2026-06-29 13:06 ` [PATCH v16 12/18] arm64: syscall: Use exit-specific flags check in el0_svc_common() Jinjie Ruan
2026-06-29 13:06 ` [PATCH v16 13/18] arm64: syscall: Simplify el0_svc_common() syscall exit path Jinjie Ruan
2026-06-29 13:06 ` [PATCH v16 14/18] arm64: syscall: Simplify syscall exit path in el0_svc_common() Jinjie Ruan
2026-06-29 13:06 ` [PATCH v16 15/18] arm64: ptrace: Skip syscall exit reporting for PTRACE_SYSEMU_SINGLESTEP Jinjie Ruan
2026-06-29 13:06 ` [PATCH v16 16/18] arm64: entry: Convert to generic entry Jinjie Ruan
2026-06-29 13:06 ` [PATCH v16 17/18] arm64: Inline el0_svc_common() Jinjie Ruan
2026-06-29 13:06 ` [PATCH v16 18/18] arm64: vdso: Expose sigreturn address on vdso to the kernel Jinjie Ruan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260629132914.1135C1F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=agordeev@linux.ibm.com \
--cc=gor@linux.ibm.com \
--cc=hca@linux.ibm.com \
--cc=linux-s390@vger.kernel.org \
--cc=ruanjinjie@huawei.com \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox