From: Yang Yang <yang.yang29(a)zte.com.cn>
Userspace may use syscall with syscall number less than 0 by calling
syscall(syscall_num,..). This kind of syscall could never be audited,
because auditctl requires rule with syscall number >=0. Therefore we
better do a quick handle no need to gohead with this situation.
Note that auditctl may set rules auditing invalid syscall with syscall
number bigger than NR_syscalls, to keep this mechanism working, we do
no more check(context->major bigger than NR_syscalls or not).
Signed-off-by: Yang Yang <yang.yang29(a)zte.com.cn>
Reported-by: Zeal Robot <zealci(a)zte.com.cn>
---
v2:
- cancel checking against NR_syscalls
---
kernel/auditsc.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index ea2ee1181921..79118c811853 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -2077,7 +2077,8 @@ void __audit_syscall_exit(int success, long return_code)
struct audit_context *context = audit_context();
if (!context || context->dummy ||
- context->context != AUDIT_CTX_SYSCALL)
+ context->context != AUDIT_CTX_SYSCALL ||
+ unlikely(context->major < 0))
goto out;
/* this may generate CONFIG_CHANGE records */
--
2.25.1