parisc: Fix ptrace syscall number modification
commit b7dc5a071ddf69c0350396b203cba32fe5bab510 upstream. Commit910cd32e55
("parisc: Fix and enable seccomp filter support") introduced a regression in ptrace-based syscall tampering: when tracer changes syscall number to -1, the kernel fails to initialize %r28 with -ENOSYS and subsequently fails to return the error code of the failed syscall to userspace. This erroneous behaviour could be observed with a simple strace syscall fault injection command which is expected to print something like this: $ strace -a0 -ewrite -einject=write:error=enospc echo hello write(1, "hello\n", 6) = -1 ENOSPC (No space left on device) (INJECTED) write(2, "echo: ", 6) = -1 ENOSPC (No space left on device) (INJECTED) write(2, "write error", 11) = -1 ENOSPC (No space left on device) (INJECTED) write(2, "\n", 1) = -1 ENOSPC (No space left on device) (INJECTED) +++ exited with 1 +++ After commit910cd32e55
it loops printing something like this instead: write(1, "hello\n", 6../strace: Failed to tamper with process 12345: unexpectedly got no error (return value 0, error 0) ) = 0 (INJECTED) This bug was found by strace test suite. Fixes:910cd32e55
("parisc: Fix and enable seccomp filter support") Cc: stable@vger.kernel.org # v4.5+ Signed-off-by: Dmitry V. Levin <ldv@altlinux.org> Tested-by: Helge Deller <deller@gmx.de> Signed-off-by: Helge Deller <deller@gmx.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
parent
8b4b1d7cc4
commit
ebe390b42e
1 changed files with 21 additions and 8 deletions
|
@ -308,15 +308,29 @@ long compat_arch_ptrace(struct task_struct *child, compat_long_t request,
|
|||
|
||||
long do_syscall_trace_enter(struct pt_regs *regs)
|
||||
{
|
||||
if (test_thread_flag(TIF_SYSCALL_TRACE) &&
|
||||
tracehook_report_syscall_entry(regs)) {
|
||||
if (test_thread_flag(TIF_SYSCALL_TRACE)) {
|
||||
int rc = tracehook_report_syscall_entry(regs);
|
||||
|
||||
/*
|
||||
* Tracing decided this syscall should not happen or the
|
||||
* debugger stored an invalid system call number. Skip
|
||||
* the system call and the system call restart handling.
|
||||
* As tracesys_next does not set %r28 to -ENOSYS
|
||||
* when %r20 is set to -1, initialize it here.
|
||||
*/
|
||||
regs->gr[20] = -1UL;
|
||||
goto out;
|
||||
regs->gr[28] = -ENOSYS;
|
||||
|
||||
if (rc) {
|
||||
/*
|
||||
* A nonzero return code from
|
||||
* tracehook_report_syscall_entry() tells us
|
||||
* to prevent the syscall execution. Skip
|
||||
* the syscall call and the syscall restart handling.
|
||||
*
|
||||
* Note that the tracer may also just change
|
||||
* regs->gr[20] to an invalid syscall number,
|
||||
* that is handled by tracesys_next.
|
||||
*/
|
||||
regs->gr[20] = -1UL;
|
||||
return -1;
|
||||
}
|
||||
}
|
||||
|
||||
/* Do the secure computing check after ptrace. */
|
||||
|
@ -340,7 +354,6 @@ long do_syscall_trace_enter(struct pt_regs *regs)
|
|||
regs->gr[24] & 0xffffffff,
|
||||
regs->gr[23] & 0xffffffff);
|
||||
|
||||
out:
|
||||
/*
|
||||
* Sign extend the syscall number to 64bit since it may have been
|
||||
* modified by a compat ptrace call
|
||||
|
|
Loading…
Reference in a new issue