On Wed, Jun 22, 2016 at 4:42 PM, Paul Moore <pmoore@xxxxxxxxxx> wrote:
> From: Paul Moore <paul@xxxxxxxxxxxxxx>
>
> When executing s390 code on s390x the syscall arguments are not
> properly masked, leading to some malformed audit records.
>
> Signed-off-by: Paul Moore <paul@xxxxxxxxxxxxxx>
> ---
> arch/s390/kernel/ptrace.c | 11 ++++++++---
> 1 file changed, 8 insertions(+), 3 deletions(-)
FWIW, I've applied this patch to the audit tree, in the next branch;
if anyone has any objections please let me know.
> diff --git a/arch/s390/kernel/ptrace.c b/arch/s390/kernel/ptrace.c
> index 49b1c13..ac1dc74 100644
> --- a/arch/s390/kernel/ptrace.c
> +++ b/arch/s390/kernel/ptrace.c
> @@ -822,6 +822,7 @@ long compat_arch_ptrace(struct task_struct *child, compat_long_t request,
> asmlinkage long do_syscall_trace_enter(struct pt_regs *regs)
> {
> long ret = 0;
> + unsigned long mask = -1UL;
>
> /* Do the secure computing check first. */
> if (secure_computing()) {
> @@ -849,9 +850,13 @@ asmlinkage long do_syscall_trace_enter(struct pt_regs *regs)
> if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT)))
> trace_sys_enter(regs, regs->gprs[2]);
>
> - audit_syscall_entry(regs->gprs[2], regs->orig_gpr2,
> - regs->gprs[3], regs->gprs[4],
> - regs->gprs[5]);
> +#ifdef CONFIG_COMPAT
> + if (test_thread_flag(TIF_31BIT))
> + mask = 0xffffffff;
> +#endif
> + audit_syscall_entry(regs->gprs[2], regs->orig_gpr2 & mask,
> + regs->gprs[3] & mask, regs->gprs[4] & mask,
> + regs->gprs[5] & mask);
> out:
> return ret ?: regs->gprs[2];
> }
>
--
paul moore
security @ redhat
--
To unsubscribe from this list: send the line "unsubscribe linux-s390" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
