All of lore.kernel.org
 help / color / mirror / Atom feed
From: He Zhe <zhe.he@windriver.com>
To: Paul Moore <paul@paul-moore.com>
Cc: oleg@redhat.com, catalin.marinas@arm.com, will@kernel.org,
	linux-arm-kernel@lists.infradead.org,
	Eric Paris <eparis@redhat.com>,
	linux-audit@redhat.com, linux-kernel@vger.kernel.org
Subject: Re: [PATCH v2 3/3] audit: Use syscall_get_return_value to get syscall return code in audit_syscall_exit
Date: Tue, 11 May 2021 11:19:21 +0800	[thread overview]
Message-ID: <c8493e20-c7fc-67e4-f2cc-81601535f21a@windriver.com> (raw)
In-Reply-To: <CAHC9VhQXawubMsKg2F282k-bJqZFT=vNurZAeAPKLU1ZZpYKeg@mail.gmail.com>



On 5/11/21 6:38 AM, Paul Moore wrote:
> On Fri, Apr 23, 2021 at 6:36 AM He Zhe <zhe.he@windriver.com> wrote:
>> regs_return_value for some architectures like arm64 simply retrieve
>> register value from pt_regs without sign extension in 32-bit compatible
>> case and cause audit to have false syscall return code. For example,
>> 32-bit -13 would be treated as 4294967283 below.
>>
>> type=SYSCALL msg=audit(1611110715.887:582): arch=40000028 syscall=322
>> success=yes exit=4294967283
>>
>> We just added proper sign extension in syscall_get_return_value which
>> should be used instead.
>>
>> Signed-off-by: He Zhe <zhe.he@windriver.com>
>> ---
>> v1 to v2: No change
>>
>>  include/linux/audit.h | 2 +-
>>  1 file changed, 1 insertion(+), 1 deletion(-)
> Perhaps I missed it but did you address the compile error that was
> found by the kernel test robot?

I sent a patch adding syscall_get_return_value for alpha to fix this bot warning.
https://lore.kernel.org/lkml/20210426091629.45020-1-zhe.he@windriver.com/
which can be found in this mail thread.

>
> Regardless, one comment inline below ...
>
>> diff --git a/include/linux/audit.h b/include/linux/audit.h
>> index 82b7c1116a85..135adbe22c19 100644
>> --- a/include/linux/audit.h
>> +++ b/include/linux/audit.h
>> @@ -334,7 +334,7 @@ static inline void audit_syscall_exit(void *pt_regs)
>>  {
>>         if (unlikely(audit_context())) {
>>                 int success = is_syscall_success(pt_regs);
> Since we are shifting to use syscall_get_return_value() below, would
> it also make sense to shift to using syscall_get_error() here instead
> of is_syscall_success()?

In [PATCH v2 1/3], is_syscall_success calls syscall_get_return_value to take
care of the sign extension issue. Keeping using is_syscall_success is to not
potentially changing other architectures' behavior.

Thanks,
Zhe

>
>> -               long return_code = regs_return_value(pt_regs);
>> +               long return_code = syscall_get_return_value(current, pt_regs);
>>
>>                 __audit_syscall_exit(success, return_code);
>>         }


WARNING: multiple messages have this Message-ID (diff)
From: He Zhe <zhe.he@windriver.com>
To: Paul Moore <paul@paul-moore.com>
Cc: catalin.marinas@arm.com, oleg@redhat.com,
	Eric Paris <eparis@redhat.com>,
	linux-kernel@vger.kernel.org, linux-audit@redhat.com,
	will@kernel.org, linux-arm-kernel@lists.infradead.org
Subject: Re: [PATCH v2 3/3] audit: Use syscall_get_return_value to get syscall return code in audit_syscall_exit
Date: Tue, 11 May 2021 11:19:21 +0800	[thread overview]
Message-ID: <c8493e20-c7fc-67e4-f2cc-81601535f21a@windriver.com> (raw)
In-Reply-To: <CAHC9VhQXawubMsKg2F282k-bJqZFT=vNurZAeAPKLU1ZZpYKeg@mail.gmail.com>



On 5/11/21 6:38 AM, Paul Moore wrote:
> On Fri, Apr 23, 2021 at 6:36 AM He Zhe <zhe.he@windriver.com> wrote:
>> regs_return_value for some architectures like arm64 simply retrieve
>> register value from pt_regs without sign extension in 32-bit compatible
>> case and cause audit to have false syscall return code. For example,
>> 32-bit -13 would be treated as 4294967283 below.
>>
>> type=SYSCALL msg=audit(1611110715.887:582): arch=40000028 syscall=322
>> success=yes exit=4294967283
>>
>> We just added proper sign extension in syscall_get_return_value which
>> should be used instead.
>>
>> Signed-off-by: He Zhe <zhe.he@windriver.com>
>> ---
>> v1 to v2: No change
>>
>>  include/linux/audit.h | 2 +-
>>  1 file changed, 1 insertion(+), 1 deletion(-)
> Perhaps I missed it but did you address the compile error that was
> found by the kernel test robot?

I sent a patch adding syscall_get_return_value for alpha to fix this bot warning.
https://lore.kernel.org/lkml/20210426091629.45020-1-zhe.he@windriver.com/
which can be found in this mail thread.

>
> Regardless, one comment inline below ...
>
>> diff --git a/include/linux/audit.h b/include/linux/audit.h
>> index 82b7c1116a85..135adbe22c19 100644
>> --- a/include/linux/audit.h
>> +++ b/include/linux/audit.h
>> @@ -334,7 +334,7 @@ static inline void audit_syscall_exit(void *pt_regs)
>>  {
>>         if (unlikely(audit_context())) {
>>                 int success = is_syscall_success(pt_regs);
> Since we are shifting to use syscall_get_return_value() below, would
> it also make sense to shift to using syscall_get_error() here instead
> of is_syscall_success()?

In [PATCH v2 1/3], is_syscall_success calls syscall_get_return_value to take
care of the sign extension issue. Keeping using is_syscall_success is to not
potentially changing other architectures' behavior.

Thanks,
Zhe

>
>> -               long return_code = regs_return_value(pt_regs);
>> +               long return_code = syscall_get_return_value(current, pt_regs);
>>
>>                 __audit_syscall_exit(success, return_code);
>>         }

--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit


WARNING: multiple messages have this Message-ID (diff)
From: He Zhe <zhe.he@windriver.com>
To: Paul Moore <paul@paul-moore.com>
Cc: oleg@redhat.com, catalin.marinas@arm.com, will@kernel.org,
	linux-arm-kernel@lists.infradead.org,
	Eric Paris <eparis@redhat.com>,
	linux-audit@redhat.com, linux-kernel@vger.kernel.org
Subject: Re: [PATCH v2 3/3] audit: Use syscall_get_return_value to get syscall return code in audit_syscall_exit
Date: Tue, 11 May 2021 11:19:21 +0800	[thread overview]
Message-ID: <c8493e20-c7fc-67e4-f2cc-81601535f21a@windriver.com> (raw)
In-Reply-To: <CAHC9VhQXawubMsKg2F282k-bJqZFT=vNurZAeAPKLU1ZZpYKeg@mail.gmail.com>



On 5/11/21 6:38 AM, Paul Moore wrote:
> On Fri, Apr 23, 2021 at 6:36 AM He Zhe <zhe.he@windriver.com> wrote:
>> regs_return_value for some architectures like arm64 simply retrieve
>> register value from pt_regs without sign extension in 32-bit compatible
>> case and cause audit to have false syscall return code. For example,
>> 32-bit -13 would be treated as 4294967283 below.
>>
>> type=SYSCALL msg=audit(1611110715.887:582): arch=40000028 syscall=322
>> success=yes exit=4294967283
>>
>> We just added proper sign extension in syscall_get_return_value which
>> should be used instead.
>>
>> Signed-off-by: He Zhe <zhe.he@windriver.com>
>> ---
>> v1 to v2: No change
>>
>>  include/linux/audit.h | 2 +-
>>  1 file changed, 1 insertion(+), 1 deletion(-)
> Perhaps I missed it but did you address the compile error that was
> found by the kernel test robot?

I sent a patch adding syscall_get_return_value for alpha to fix this bot warning.
https://lore.kernel.org/lkml/20210426091629.45020-1-zhe.he@windriver.com/
which can be found in this mail thread.

>
> Regardless, one comment inline below ...
>
>> diff --git a/include/linux/audit.h b/include/linux/audit.h
>> index 82b7c1116a85..135adbe22c19 100644
>> --- a/include/linux/audit.h
>> +++ b/include/linux/audit.h
>> @@ -334,7 +334,7 @@ static inline void audit_syscall_exit(void *pt_regs)
>>  {
>>         if (unlikely(audit_context())) {
>>                 int success = is_syscall_success(pt_regs);
> Since we are shifting to use syscall_get_return_value() below, would
> it also make sense to shift to using syscall_get_error() here instead
> of is_syscall_success()?

In [PATCH v2 1/3], is_syscall_success calls syscall_get_return_value to take
care of the sign extension issue. Keeping using is_syscall_success is to not
potentially changing other architectures' behavior.

Thanks,
Zhe

>
>> -               long return_code = regs_return_value(pt_regs);
>> +               long return_code = syscall_get_return_value(current, pt_regs);
>>
>>                 __audit_syscall_exit(success, return_code);
>>         }


_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

  reply	other threads:[~2021-05-11  3:19 UTC|newest]

Thread overview: 34+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-04-23 10:35 [PATCH v2 1/3] arm64: ptrace: Add is_syscall_success to handle compat He Zhe
2021-04-23 10:35 ` He Zhe
2021-04-23 10:35 ` He Zhe
2021-04-23 10:35 ` [PATCH v2 2/3] arm64: syscall.h: Add sign extension handling in syscall_get_return_value for compat He Zhe
2021-04-23 10:35   ` He Zhe
2021-04-23 10:35   ` He Zhe
2021-05-05 17:30   ` Mark Rutland
2021-05-05 17:30     ` Mark Rutland
2021-05-05 17:30     ` Mark Rutland
2021-04-23 10:35 ` [PATCH v2 3/3] audit: Use syscall_get_return_value to get syscall return code in audit_syscall_exit He Zhe
2021-04-23 10:35   ` He Zhe
2021-04-23 10:35   ` He Zhe
2021-04-24  5:44   ` kernel test robot
2021-04-24  5:44     ` kernel test robot
2021-04-24  5:44     ` kernel test robot
2021-04-26  9:16   ` [PATCH] alpha: Add syscall_get_return_value() He Zhe
2021-04-26  9:16     ` He Zhe
2021-04-26  9:21     ` He Zhe
2021-04-26  9:21       ` He Zhe
2021-05-10 22:38   ` [PATCH v2 3/3] audit: Use syscall_get_return_value to get syscall return code in audit_syscall_exit Paul Moore
2021-05-10 22:38     ` Paul Moore
2021-05-10 22:38     ` Paul Moore
2021-05-11  3:19     ` He Zhe [this message]
2021-05-11  3:19       ` He Zhe
2021-05-11  3:19       ` He Zhe
2021-05-11 14:51       ` Paul Moore
2021-05-11 14:51         ` Paul Moore
2021-05-11 14:51         ` Paul Moore
2021-05-12  8:43         ` He Zhe
2021-05-12  8:43           ` He Zhe
2021-05-12  8:43           ` He Zhe
2021-05-14 20:33           ` Paul Moore
2021-05-14 20:33             ` Paul Moore
2021-05-14 20:33             ` Paul Moore

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=c8493e20-c7fc-67e4-f2cc-81601535f21a@windriver.com \
    --to=zhe.he@windriver.com \
    --cc=catalin.marinas@arm.com \
    --cc=eparis@redhat.com \
    --cc=linux-arm-kernel@lists.infradead.org \
    --cc=linux-audit@redhat.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=oleg@redhat.com \
    --cc=paul@paul-moore.com \
    --cc=will@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.