Incorrect value of ptrace's 4th argument on zSeries
Michael C Thompson
mcthomps at us.ibm.com
Wed Feb 15 16:56:36 UTC 2006
Hey all,
I've found an issue with the logging of the value of the 4th argument of
the ptrace syscall.
The call is: ptrace(PTRACE_TRACEME,0,0,0) and ptrace(PTRACE_KILL,1,0,0)
the value of the 4th argument, that is the 0, is logged as the following:
type=SYSCALL msg=audit(1140022035.377:246959): arch=16 syscall=26
success=yes exit=0 a0=0 a1=0 a2=0 a3=20000000000 items=0 pid=5236 auid=500
uid=501 gid=501 euid=501 suid=0 fsuid=501 egid=501 sgid=0 fsgid=501
comm="ptrace_test"
exe="/rhcc/lspp/tests/LTP/ltp-merged/testcases/audit/syscalls/ptrace_test"
As you can see, a3 is logged as "a3=20000000000".
I am not sure if this extends to other syscalls, but this issue makes
logging with specific argument values challenging at best.
Mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20060215/73b3d946/attachment.htm>
More information about the Linux-audit
mailing list