[PATCH v2] audit: do a quick exit when syscall number is less than 0

From: cgel . zte
Date: Sun Apr 03 2022 - 22:35:22 EST

Next message: Dongjin Yang: "[PATCH] dt-bindings: net: snps: remove duplicate name"
Previous message: Dong-Jin Yang: "Re: [PATCH] dt-bindings: net: snps: remove duplicate name"
Next in thread: Paul Moore: "Re: [PATCH v2] audit: do a quick exit when syscall number is less than 0"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Yang Yang <yang.yang29@xxxxxxxxxx>

Userspace may use syscall with syscall number less than 0 by calling
syscall(syscall_num,..). This kind of syscall could never be audited,
because auditctl requires rule with syscall number >=0. Therefore we
better do a quick handle no need to gohead with this situation.

Note that auditctl may set rules auditing invalid syscall with syscall
number bigger than NR_syscalls, to keep this mechanism working, we do
no more check(context->major bigger than NR_syscalls or not).

Signed-off-by: Yang Yang <yang.yang29@xxxxxxxxxx>
Reported-by: Zeal Robot <zealci@xxxxxxxxxx>
---
v2:
- cancel checking against NR_syscalls
---
kernel/auditsc.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index ea2ee1181921..79118c811853 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -2077,7 +2077,8 @@ void __audit_syscall_exit(int success, long return_code)
struct audit_context *context = audit_context();

if (!context || context->dummy ||
- context->context != AUDIT_CTX_SYSCALL)
+ context->context != AUDIT_CTX_SYSCALL ||
+ unlikely(context->major < 0))
goto out;

/* this may generate CONFIG_CHANGE records */
--
2.25.1

Next message: Dongjin Yang: "[PATCH] dt-bindings: net: snps: remove duplicate name"
Previous message: Dong-Jin Yang: "Re: [PATCH] dt-bindings: net: snps: remove duplicate name"
Next in thread: Paul Moore: "Re: [PATCH v2] audit: do a quick exit when syscall number is less than 0"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]