audit vs. ptrace races.

Thursday, 17 March 2005

On most architectures we use the ptrace hooks for syscall tracing to
also call audit_syscall_entry() and audit_syscall_exit(). But we do so
_before_ calling ptrace_notify(), during which we stop the process and
let the debugger poke at it, potentially _changing_ the arguments to the
syscall.

So AFAICT we can log the syscall's arguments before they're changed, and
then it can go on to do something entirely different to what we said it
was going to do. We need to switch the order round, I think.

There is also a potential race condition where the argument is actually
a pointer to userspace memory -- for auditing purposes we _must_ use the
copy which we get from userspace at the time we perform the syscall, not
copy it in from userspace in audit_syscall_entry(). I don't think we
currently have problems with this -- both the IPC code and getname() are
doing this correctly -- but it's worth pointing out to avoid mistakes in
future.

-- 
dwmw2

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

audit vs. ptrace races.