Audit not recording the correct syscall return value in Fedora 10?
Paul Moore
paul.moore at hp.com
Tue Apr 7 15:34:35 UTC 2009
While doing some testing on Fedora 10 using the 2.6.27.5-117.fc10.x86_64
kernel I stumbled across a rather odd problem: somewhere between the end of
sys_sendto() and audit_syscall_exit() the syscall's return value was changing
resulting in incorrect audit records (similar problems with sys_sendmsg()).
After some head scratching and debugging I determined that the %rax register
was being altered at some point and if we reloaded the syscall's return value
from the stack before calling audit_syscall_exit() we could avoid the problem
(see patch below).
I also tried to reproduce the problem with a vanilla 2.6.29.1 kernel and after
several hours of testing I have yet to see the problem using the newer,
upstream kernel. Taking a look at the entry_64.S files of the two kernels
there appear to be a number of changes, the most significant are the tracing
changes but I'm not familiar enough with this chunk of code to identify the
definitive root cause (although, tracing changes does sound reasonable).
Does anyone have any thoughts?
diff --git a/arch/x86/kernel/entry_64.S b/arch/x86/kernel/entry_64.S
index a331ec3..16db517 100644
--- a/arch/x86/kernel/entry_64.S
+++ b/arch/x86/kernel/entry_64.S
@@ -589,8 +589,8 @@ auditsys:
* masked off.
*/
sysret_audit:
- movq %rax,%rsi /* second arg, syscall return value */
- cmpq $0,%rax /* is it < 0? */
+ movq RAX-ARGOFFSET(%rsp),%rsi /* second arg, syscall return value */
+ cmpq $0,%rsi /* is it < 0? */
setl %al /* 1 if so, 0 if not */
movzbl %al,%edi /* zero-extend that into %edi */
inc %edi /* first arg, 0->1(AUDITSC_SUCCESS), 1->2(AUDITSC_FAILURE) */
--
paul moore
linux @ hp
More information about the Linux-audit
mailing list