Hello, Strace can't follow fork on a linux/mips (on all kernels, mips, mips64, o32, n32, etc). When fork occurs, strace changes syscall number from fork to clone in v0 and sets CLONE_PTRACE in a0. Unfortunately, a kernel forms an address of a syscall routine before strace performs its dirty tricks. Thus, only thing strace can do is playing with syscall routine's address via t2. It's not so useful because strace doesn't know where a syscall table is in. Strace is still able to change first 4 arguments, though. BTW, opening t2 to the ptrace(2) interface isn't good thing too. I am not sure I can gain root by pondering t2, but I'm sure it's a hole for a DoS attack, at least. (For lazy people, a kernel restores t2 from the stack and does jalr t2 after the process being traced is resumed.) The solution is to repeat parsing syscall number (and number of arguments) on return from syscall_trace. Another solution is to call syscall_trace early, before parsing. Have somebody got yet another idea? Regards, Gleb.
