[PATCH] audit: ia32entry.S drops useful return value sign bits

Mon, 23 May 2011 17:43:29 -0700 

In the ia32entry syscall exit audit fastpath we have assembly code which calls
audit_syscall_exit directly.  This code was, however, incorrectly zeroing
the upper 32 bits of the return code.  It then proceeded to do a 32bit check
for positive/negative to determine the syscalls success.  This meant that
syscalls like mmap2 which might return a very large 32 bit address as the
pointer would be mistaken for a negative return code.  It also meant that
negative return codes would be mistaken for 32 bit numbers on output.

The fix is to not zero the upper 32 bits of the return value and to do a full
64bit negative/postive determination for syscall success.

Old record returning a pointer:
type=SYSCALL msg=audit(1305733850.639:224): arch=40000003 syscall=192 
success=no exit=4151844864
New Record with positive/negative test fixing "success":
type=SYSCALL msg=audit(1305733850.639:224): arch=40000003 syscall=192 
success=yes exit=4151844864

Old record returning an error:
type=SYSCALL msg=audit(1306197182.256:281): arch=40000003 syscall=192 
success=no exit=4294967283
New record returning -13:
type=SYSCALL msg=audit(1306197182.256:281): arch=40000003 syscall=192 
success=no exit=-13

Signed-off-by: Eric Paris <[email protected]>
---

 arch/x86/ia32/ia32entry.S |    6 +++---
 1 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/arch/x86/ia32/ia32entry.S b/arch/x86/ia32/ia32entry.S
index c1870dd..b2bea0a 100644
--- a/arch/x86/ia32/ia32entry.S
+++ b/arch/x86/ia32/ia32entry.S
@@ -209,14 +209,14 @@ sysexit_from_sys_call:
        jnz ia32_ret_from_sys_call
        TRACE_IRQS_ON
        sti
-       movl %eax,%esi          /* second arg, syscall return value */
-       cmpl $0,%eax            /* is it < 0? */
+       movq %rax,%rsi          /* second arg, syscall return value */
+       cmpq $0,%rax            /* is it < 0? */
        setl %al                /* 1 if so, 0 if not */
        movzbl %al,%edi         /* zero-extend that into %edi */
        inc %edi /* first arg, 0->1(AUDITSC_SUCCESS), 1->2(AUDITSC_FAILURE) */
        call audit_syscall_exit
        GET_THREAD_INFO(%r10)
-       movl RAX-ARGOFFSET(%rsp),%eax   /* reload syscall return value */
+       movq RAX-ARGOFFSET(%rsp),%rax   /* reload syscall return value */
        movl $(_TIF_ALLWORK_MASK & ~_TIF_SYSCALL_AUDIT),%edi
        cli
        TRACE_IRQS_OFF

--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit

Reply via email to