Commit b7dc5a07 authored Feb 16, 2019 by Dmitry V. Levin Committed by Helge Deller Feb 21, 2019

parisc: Fix ptrace syscall number modification



Commit 910cd32e ("parisc: Fix and enable seccomp filter support")
introduced a regression in ptrace-based syscall tampering: when tracer
changes syscall number to -1, the kernel fails to initialize %r28 with
-ENOSYS and subsequently fails to return the error code of the failed
syscall to userspace.

This erroneous behaviour could be observed with a simple strace syscall
fault injection command which is expected to print something like this:

$ strace -a0 -ewrite -einject=write:error=enospc echo hello
write(1, "hello\n", 6) = -1 ENOSPC (No space left on device) (INJECTED)
write(2, "echo: ", 6) = -1 ENOSPC (No space left on device) (INJECTED)
write(2, "write error", 11) = -1 ENOSPC (No space left on device) (INJECTED)
write(2, "\n", 1) = -1 ENOSPC (No space left on device) (INJECTED)
+++ exited with 1 +++

After commit 910cd32e it loops printing
something like this instead:

write(1, "hello\n", 6../strace: Failed to tamper with process 12345: unexpectedly got no error (return value 0, error 0)
) = 0 (INJECTED)

This bug was found by strace test suite.

Fixes: 910cd32e ("parisc: Fix and enable seccomp filter support")
Cc: stable@vger.kernel.org # v4.5+
Signed-off-by: Dmitry V. Levin <ldv@altlinux.org>
Tested-by: Helge Deller <deller@gmx.de>
Signed-off-by: Helge Deller <deller@gmx.de>

parent f6163d67

arch/parisc/kernel/ptrace.c

+21 −8

Original line number	Diff line number	Diff line
		@@ -308,15 +308,29 @@ long compat_arch_ptrace(struct task_struct *child, compat_long_t request,

		long do_syscall_trace_enter(struct pt_regs *regs)
		{
		if (test_thread_flag(TIF_SYSCALL_TRACE) &&
		tracehook_report_syscall_entry(regs)) {
		if (test_thread_flag(TIF_SYSCALL_TRACE)) {
		int rc = tracehook_report_syscall_entry(regs);

		/*
		* Tracing decided this syscall should not happen or the
		* debugger stored an invalid system call number. Skip
		* the system call and the system call restart handling.
		* As tracesys_next does not set %r28 to -ENOSYS
		* when %r20 is set to -1, initialize it here.
		*/
		regs->gr[28] = -ENOSYS;

		if (rc) {
		/*
		* A nonzero return code from
		* tracehook_report_syscall_entry() tells us
		* to prevent the syscall execution. Skip
		* the syscall call and the syscall restart handling.
		*
		* Note that the tracer may also just change
		* regs->gr[20] to an invalid syscall number,
		* that is handled by tracesys_next.
		*/
		regs->gr[20] = -1UL;
		goto out;
		return -1;
		}
		}

		/* Do the secure computing check after ptrace. */
		@@ -340,7 +354,6 @@ long do_syscall_trace_enter(struct pt_regs *regs)
		regs->gr[24] & 0xffffffff,
		regs->gr[23] & 0xffffffff);

		out:
		/*
		* Sign extend the syscall number to 64bit since it may have been
		* modified by a compat ptrace call

Admin message