[PATCH v2] arm: prevent BUG_ON in audit_syscall_entry()
by AKASHI Takahiro
BUG_ON() in audit_syscall_entry() is hit under the following conditions:
1) syscall auditing is enabled (that is, by running auditd).
2) user process issues syscall(-1)
In fact, syscall(-1) just fails (not raising SIGILL, that is an expected
behavior if not audited), and the succeeding syscall will hit this BUG_ON.
------------[ cut here ]------------
kernel BUG at (...)/kernel/auditsc.c:1534!
Internal error: Oops - BUG: 0 [#1] SMP ARM
Modules linked in:
CPU: 0 PID: 61 Comm: syscall_arm Not tainted 3.17.0-rc4 #60
task: ea0c4380 ti: ea48e000 task.ti: ea48e000
PC is at __audit_syscall_entry+0xe4/0x110
LR is at 0xea0c4380
pc : [<c02b2ae8>] lr : [<ea0c4380>] psr: 20000013
sp : ea48ff68 ip : 00000001 fp : 0000869c
r10: 00000200 r9 : ea48e000 r8 : c020f4e4
r7 : 000000c5 r6 : ea48e000 r5 : ea48ffb0 r4 : ea490800
r3 : bef1e718 r2 : 00000001 r1 : 000000c5 r0 : 40000028
Flags: nzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user
Control: 10c5387d Table: 8a4ac059 DAC: 00000015
Process syscall_arm (pid: 61, stack limit = 0xea48e250)
Stack: (0xea48ff68 to 0xea490000)
ff60: 540e7a69 3ab5e840 00000200 000000c5 ea48ffb0 ea48e000
ff80: 000000c5 c02114bc bef1e718 00000001 b6efdb58 ffffffff 08400000 000000c5
ffa0: c020f4e4 c020f49c b6efdb58 ffffffff 00000001 bef1e718 bef1e718 00000001
ffc0: b6efdb58 ffffffff 08400000 000000c5 00000000 b6f22850 00000008 0000869c
ffe0: 000000c5 bef1e704 b6ea315f b6e318e6 20000030 00000001 00000000 00000000
[<c02b2ae8>] (__audit_syscall_entry) from [<c02114bc>] (syscall_trace_enter+0xf0/0x120)
[<c02114bc>] (syscall_trace_enter) from [<c020f49c>] (__sys_trace+0xc/0x38)
Code: e584500c e5842004 e28dd00c e8bd80f0 (e7f001f2)
---[ end trace 0c4441660aba5692 ]---
Under the current implementation, audit_syscall_entry() is called even
against syscall(-1), but audit_syscall_exit() is not. Because 'in_syscall'
flag in a current thread's audit context is kept on, next called
audit_syscall_entry() will see BUG_ON(in_syscall).
This patch fixes this bug by
1) preventing syscall enter/exit tracing, ftrace tracepoint and audit,
from being executed if an invalid (including -1) or pseudo syscall
number (starting from __NR_ARM_BASE + 1).
Please note that tracehook_report_syscall(PTRACE_SYSCALL_EXIT) is
still executed as it should be paired with
tracehook_report_syscall(PTRACE_SYSCALL_ENTER).
2) handling user-issued syscall(-1) with arm_syscall() for compatibility
if tracing is on.
Since UL(-1) > __NR_ARM_BASE - __NR_SYSCALL_BASE, arm_syscall() is
called at local_restart in entry-common.S if tracing is off.
Signed-off-by: AKASHI Takahiro <takahiro.akashi(a)linaro.org>
---
arch/arm/include/asm/traps.h | 1 +
arch/arm/kernel/entry-common.S | 3 ++-
arch/arm/kernel/ptrace.c | 49 +++++++++++++++++++++++++---------------
3 files changed, 34 insertions(+), 19 deletions(-)
diff --git a/arch/arm/include/asm/traps.h b/arch/arm/include/asm/traps.h
index f555bb3..de01145 100644
--- a/arch/arm/include/asm/traps.h
+++ b/arch/arm/include/asm/traps.h
@@ -49,6 +49,7 @@ static inline int in_exception_text(unsigned long ptr)
extern void __init early_trap_init(void *);
extern void dump_backtrace_entry(unsigned long where, unsigned long from, unsigned long frame);
extern void ptrace_break(struct task_struct *tsk, struct pt_regs *regs);
+extern int arm_syscall(int no, struct pt_regs *regs);
extern void *vectors_page;
diff --git a/arch/arm/kernel/entry-common.S b/arch/arm/kernel/entry-common.S
index e52fe5a..4c62324 100644
--- a/arch/arm/kernel/entry-common.S
+++ b/arch/arm/kernel/entry-common.S
@@ -476,10 +476,11 @@ __sys_trace:
cmp scno, #-1 @ skip the syscall?
bne 2b
add sp, sp, #S_OFF @ restore stack
- b ret_slow_syscall
+ b __sys_trace_return_skipped
__sys_trace_return:
str r0, [sp, #S_R0 + S_OFF]! @ save returned r0
+__sys_trace_return_skipped:
mov r0, sp
bl syscall_trace_exit
b ret_slow_syscall
diff --git a/arch/arm/kernel/ptrace.c b/arch/arm/kernel/ptrace.c
index 0c27ed6..d458367 100644
--- a/arch/arm/kernel/ptrace.c
+++ b/arch/arm/kernel/ptrace.c
@@ -930,7 +930,9 @@ static void tracehook_report_syscall(struct pt_regs *regs,
asmlinkage int syscall_trace_enter(struct pt_regs *regs, int scno)
{
- current_thread_info()->syscall = scno;
+ int orig_scno;
+
+ current_thread_info()->syscall = orig_scno = scno;
/* Do the secure computing check first; failures should be fast. */
if (secure_computing(scno) == -1)
@@ -941,31 +943,42 @@ asmlinkage int syscall_trace_enter(struct pt_regs *regs, int scno)
scno = current_thread_info()->syscall;
- if (test_thread_flag(TIF_SYSCALL_TRACEPOINT))
- trace_sys_enter(regs, scno);
+ if (scno >= 0 && scno < NR_syscalls) {
+ if (test_thread_flag(TIF_SYSCALL_TRACEPOINT))
+ trace_sys_enter(regs, scno);
- audit_syscall_entry(AUDIT_ARCH_ARM, scno, regs->ARM_r0, regs->ARM_r1,
- regs->ARM_r2, regs->ARM_r3);
+ audit_syscall_entry(AUDIT_ARCH_ARM, scno,
+ regs->ARM_r0, regs->ARM_r1,
+ regs->ARM_r2, regs->ARM_r3);
+ } else if (scno == -1 && orig_scno == -1) {
+ /*
+ * For compatibility, we handles user-issued syscall(-1)
+ * here with arm_syscall().
+ */
+ arm_syscall(scno, regs);
+ }
return scno;
}
asmlinkage void syscall_trace_exit(struct pt_regs *regs)
{
- /*
- * Audit the syscall before anything else, as a debugger may
- * come in and change the current registers.
- */
- audit_syscall_exit(regs);
+ if (current_thread_info()->syscall < NR_syscalls) {
+ /*
+ * Audit the syscall before anything else, as a debugger may
+ * come in and change the current registers.
+ */
+ audit_syscall_exit(regs);
- /*
- * Note that we haven't updated the ->syscall field for the
- * current thread. This isn't a problem because it will have
- * been set on syscall entry and there hasn't been an opportunity
- * for a PTRACE_SET_SYSCALL since then.
- */
- if (test_thread_flag(TIF_SYSCALL_TRACEPOINT))
- trace_sys_exit(regs, regs_return_value(regs));
+ /*
+ * Note that we haven't updated the ->syscall field for the
+ * current thread. This isn't a problem because it will have
+ * been set on syscall entry and there hasn't been
+ * an opportunity for a PTRACE_SET_SYSCALL since then.
+ */
+ if (test_thread_flag(TIF_SYSCALL_TRACEPOINT))
+ trace_sys_exit(regs, regs_return_value(regs));
+ }
if (test_thread_flag(TIF_SYSCALL_TRACE))
tracehook_report_syscall(regs, PTRACE_SYSCALL_EXIT);
--
1.7.9.5
10 years, 1 month
suppress log entries, how?
by Marko Weber | 8000
good morning list,
i installed auditd on my gentoo server.
installation runs without error, but on start i get this:
# /etc/init.d/auditd start
* Starting auditd ...
[ ok ]
touch: cannot touch '/var/lock/subsys/auditd': No such file or directory
* Loading audit rules from /etc/audit/audit.rules
seems /var/lock/ `subsys/auditd` is missing.
that was easy to fix, but has to be repeated after every reboot.
in auditd.log i get entries like this:
type=NETFILTER_CFG msg=audit(1412022284.553:2446): table=mangle family=2
entries=6
type=SYSCALL msg=audit(1412022284.553:2446): arch=c000003e syscall=54
success=yes exit=0 a0=4 a1=0 a2=40 a3=1144850 items=0 ppid=2070 pid=2130
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=4294967295 comm="iptables" exe="/sbin/xtables-multi"
key=(null)
i want to suppress these messages.
in my understanding of the man page i have to put such a rule into
audit.rules:
-a exclude,never -F msgtype=NETFILTER_CFG , but this isnt working. the
messages still appears.
my config of my fresh auditd install:
# First rule - delete all
# This is to clear out old rules, so we don't append to them.
-D
# Feel free to add below this line. See auditctl man page
-a exclude,never -F msgtype=NETFILTER_CFG
# The following rule would cause all of the syscalls listed to be
ignored in logging.
-a exit,never -F arch=b32 -S read -S write -S open -S fstat -S mmap -S
brk -S munmap -S nanosleep -S fcntl -S close -S dup2 -S rt_sigaction -S
stat
-a exit,never -F arch=b64 -S read -S write -S open -S fstat -S mmap -S
brk -S munmap -S nanosleep -S fcntl -S close -S dup2 -S rt_sigaction -S
stat
-a exclude,never -F msgtype=NETFILTER_CFG
# The following rule would cause the capture of all systems not caught
above.
# -a exit,always -S all
# Increase the buffers to survive stress events
-b 8192
# lock the audit configuration to prevent any modification of this file.
-e 2
i installed audit 2.2.2-r2 on gentoo if this is of intzerest.
thank you
marko
--
zbfmail - Mittendrin statt nur Datei!
10 years, 1 month