Incorrect value of ptrace's 4th argument on zSeries
Michael C Thompson
mcthomps at us.ibm.com
Wed Feb 15 17:09:30 UTC 2006
linux-audit-bounces at redhat.com wrote on 02/15/2006 10:56:36 AM:
>
> Hey all,
>
> I've found an issue with the logging of the value of the 4th
> argument of the ptrace syscall.
>
> The call is: ptrace(PTRACE_TRACEME,0,0,0) and ptrace(PTRACE_KILL,
> 1,0,0) the value of the 4th argument, that is the 0, is logged as
> the following:
>
> type=SYSCALL msg=audit(1140022035.377:246959): arch=16 syscall=26
> success=yes exit=0 a0=0 a1=0 a2=0 a3=20000000000 items=0 pid=5236
> auid=500 uid=501 gid=501 euid=501 suid=0 fsuid=501 egid=501 sgid=0
> fsgid=501 comm="ptrace_test" exe="/rhcc/lspp/tests/LTP/ltp-
> merged/testcases/audit/syscalls/ptrace_test"
>
> As you can see, a3 is logged as "a3=20000000000".
>
> I am not sure if this extends to other syscalls, but this issue
> makes logging with specific argument values challenging at best.
Adendum: This seems to be happening for all syscalls's 4th argument field.
There is a padding of 200 going on, regardless of the value of the inital
value provided to the system call. I assume it is an issue with the
bit-mode, as the execution is happening under 32-bit mode, and the system
is a native 64-bit.
>
> Mike--
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20060215/c024b17a/attachment.htm>
More information about the Linux-audit
mailing list