Re: Regression: audit: x86: drop arch from __audit_syscall_entry() interface

From: Thomas Gleixner
Date: Wed Oct 22 2014 - 17:36:13 EST


On Wed, 22 Oct 2014, Eric Paris wrote:

> That's really serious. Looking now.

Indeed its serious. And it's even more serious as this masterpiece of
assembly wreckage was pulled in via your tree w/o having an acked-by
one of the x86 maintainers.

> On Wed, 2014-10-22 at 16:08 -0200, Paulo Zanoni wrote:
> > commit b4f0d3755c5e9cc86292d5fd78261903b4f23d4a
> > Author: Richard Guy Briggs
> > Date: Tue Mar 4 10:38:06 2014 -0500
> > audit: x86: drop arch from __audit_syscall_entry() interface
> >
> > According to our QA, their i386 machine doesn't boot anymore. I tried
> > to write my own revert for the patch, asked QA to test, and they
> > confirmed it "solves" the problem.

diff --git a/arch/x86/kernel/entry_32.S b/arch/x86/kernel/entry_32.S
index 0d0c9d4ab6d5..f9e3fabc8716 100644
--- a/arch/x86/kernel/entry_32.S
+++ b/arch/x86/kernel/entry_32.S
@@ -449,12 +449,11 @@ sysenter_audit:
jnz syscall_trace_entry
addl $4,%esp
CFI_ADJUST_CFA_OFFSET -4
- /* %esi already in 8(%esp) 6th arg: 4th syscall arg */
- /* %edx already in 4(%esp) 5th arg: 3rd syscall arg */
- /* %ecx already in 0(%esp) 4th arg: 2nd syscall arg */
- movl %ebx,%ecx /* 3rd arg: 1st syscall arg */
- movl %eax,%edx /* 2nd arg: syscall number */
- movl $AUDIT_ARCH_I386,%eax /* 1st arg: audit arch */
+ movl %esi,4(%esp) /* 5th arg: 4th syscall arg */
+ movl %edx,(%esp) /* 4th arg: 3rd syscall arg */

Bilndly overwriting the stack which holds the syscall arguments is
really a brilliant way to ensure security.

Thanks,

tglx


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/