[PATCH] fix: arm: syscall: use live r0 for syscall_get_arguments() arg0

public inbox for linux-arm-kernel@lists.infradead.org 
 help / color / mirror / Atom feed

From: Yiqi Sun <sunyiqixm@gmail•com>
To: linux-arm-kernel@lists•infradead.org, linux@armlinux•org.uk
Cc: ruanjinjie@huawei•com, will@kernel•org,
	rmk+kernel@armlinux•org.uk, Yiqi Sun <sunyiqixm@gmail•com>
Subject: [PATCH] fix: arm: syscall: use live r0 for syscall_get_arguments() arg0
Date: Fri, 29 May 2026 14:53:02 +0800	[thread overview]
Message-ID: <20260529065302.1335743-1-sunyiqixm@gmail.com> (raw)

On ARM 32-bit, seccomp obtains syscall arguments via
syscall_get_arguments(), where arg0 is currently read from
regs->ARM_ORIG_r0.

However, the actual syscall dispatch consumes live arguments from
regs->ARM_r0..ARM_r6 on the traced entry path after ptrace interaction.
Since ptrace can update pt_regs before seccomp, a tracer can create
ARM_r0 != ARM_ORIG_r0 so seccomp checks one value while the syscall runs
with another, allowing arg0-based policy bypass.

Make syscall_get_arguments() copy the live argument registers from
regs->ARM_r0..ARM_r5, matching what syscall dispatch actually uses and
removing this desynchronization.

Fixes: 0f3912fd934c ("arm/ptrace: run seccomp after ptrace")
Signed-off-by: Yiqi Sun <sunyiqixm@gmail•com>
---
 arch/arm/include/asm/syscall.h | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/arch/arm/include/asm/syscall.h b/arch/arm/include/asm/syscall.h
index 574bbcc55382..809c86b5fd5a 100644
--- a/arch/arm/include/asm/syscall.h
+++ b/arch/arm/include/asm/syscall.h
@@ -96,10 +96,7 @@ static inline void syscall_get_arguments(struct task_struct *task,
 					 struct pt_regs *regs,
 					 unsigned long *args)
 {
-	args[0] = regs->ARM_ORIG_r0;
-	args++;
-
-	memcpy(args, &regs->ARM_r0 + 1, 5 * sizeof(args[0]));
+	memcpy(args, &regs->ARM_r0, 6 * sizeof(args[0]));
 }

 static inline void syscall_set_arguments(struct task_struct *task,
-- 
2.34.1

                 reply	other threads:[~2026-05-29  6:53 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:574bbcc5538 dfblob:809c86b5fd5 )
 OR (
bs:"[PATCH] fix: arm: syscall: use live r0 for syscall_get_arguments() arg0" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260529065302.1335743-1-sunyiqixm@gmail.com \
    --to=sunyiqixm@gmail$(echo .)com \
    --cc=linux-arm-kernel@lists$(echo .)infradead.org \
    --cc=linux@armlinux$(echo .)org.uk \
    --cc=rmk+kernel@armlinux$(echo .)org.uk \
    --cc=ruanjinjie@huawei$(echo .)com \
    --cc=will@kernel$(echo .)org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox