* [PATCH] fix: arm64: syscall: use live x0 for syscall_get_arguments() arg0
@ 2026-05-29 6:54 Yiqi Sun
2026-06-01 12:43 ` Will Deacon
0 siblings, 1 reply; 3+ messages in thread
From: Yiqi Sun @ 2026-05-29 6:54 UTC (permalink / raw)
To: catalin.marinas, linux-arm-kernel
Cc: linux-kernel, rmk+kernel, ruanjinjie, will, Yiqi Sun
On arm64, seccomp obtains syscall arguments via syscall_get_arguments(),
where arg0 is currently read from regs->orig_x0. However, the syscall
wrapper consumes live arguments from regs->regs[0..5].
A ptracer can modify x0 on syscall-enter stop before seccomp runs,
but cannot update orig_x0 through that interface. This can
leave seccomp checking stale arg0 while the syscall executes with updated
live x0, allowing seccomp bypass when filters depend on arg0.
Make syscall_get_arguments() read arg0 from regs->regs[0], matching the
actual dispatch arguments and removing this desynchronization.
Fixes: f27bb139c387 ("arm64: Miscellaneous library functions")
Signed-off-by: Yiqi Sun <sunyiqixm@gmail•com>
---
arch/arm64/include/asm/syscall.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/include/asm/syscall.h b/arch/arm64/include/asm/syscall.h
index 5e4c7fc44f73..4bdb4d3ce2b4 100644
--- a/arch/arm64/include/asm/syscall.h
+++ b/arch/arm64/include/asm/syscall.h
@@ -81,7 +81,7 @@ static inline void syscall_get_arguments(struct task_struct *task,
struct pt_regs *regs,
unsigned long *args)
{
- args[0] = regs->orig_x0;
+ args[0] = regs->regs[0];
args[1] = regs->regs[1];
args[2] = regs->regs[2];
args[3] = regs->regs[3];
--
2.34.1
^ permalink raw reply related [flat|nested] 3+ messages in thread* Re: [PATCH] fix: arm64: syscall: use live x0 for syscall_get_arguments() arg0 2026-05-29 6:54 [PATCH] fix: arm64: syscall: use live x0 for syscall_get_arguments() arg0 Yiqi Sun @ 2026-06-01 12:43 ` Will Deacon 2026-06-03 9:07 ` Yiqi Sun 0 siblings, 1 reply; 3+ messages in thread From: Will Deacon @ 2026-06-01 12:43 UTC (permalink / raw) To: Yiqi Sun Cc: catalin.marinas, linux-arm-kernel, linux-kernel, rmk+kernel, ruanjinjie, mark.rutland, kees, keno, luis.machado On Fri, May 29, 2026 at 02:54:44PM +0800, Yiqi Sun wrote: > On arm64, seccomp obtains syscall arguments via syscall_get_arguments(), > where arg0 is currently read from regs->orig_x0. However, the syscall > wrapper consumes live arguments from regs->regs[0..5]. > > A ptracer can modify x0 on syscall-enter stop before seccomp runs, > but cannot update orig_x0 through that interface. This can > leave seccomp checking stale arg0 while the syscall executes with updated > live x0, allowing seccomp bypass when filters depend on arg0. > > Make syscall_get_arguments() read arg0 from regs->regs[0], matching the > actual dispatch arguments and removing this desynchronization. > > Fixes: f27bb139c387 ("arm64: Miscellaneous library functions") > Signed-off-by: Yiqi Sun <sunyiqixm@gmail•com> > --- > arch/arm64/include/asm/syscall.h | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/arch/arm64/include/asm/syscall.h b/arch/arm64/include/asm/syscall.h > index 5e4c7fc44f73..4bdb4d3ce2b4 100644 > --- a/arch/arm64/include/asm/syscall.h > +++ b/arch/arm64/include/asm/syscall.h > @@ -81,7 +81,7 @@ static inline void syscall_get_arguments(struct task_struct *task, > struct pt_regs *regs, > unsigned long *args) > { > - args[0] = regs->orig_x0; > + args[0] = regs->regs[0]; > args[1] = regs->regs[1]; > args[2] = regs->regs[2]; > args[3] = regs->regs[3]; > -- > 2.34.1 Hrm, this looks like a long-standing issue and I'm pretty nervous about changing it :/ How did you spot it? A quick look at the code suggests we have a similar issue with audit_syscall_entry(), so if we take your patch here then it will silently introduce a behavioural change to this guy: https://lore.kernel.org/all/20260320102620.1336796-5-ruanjinjie@huawei.com/ I also notice that the compat ptrace interface allows 'orig_x0' to be set -- could that cause issues with things like syscall_rollback()? Will ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Re: [PATCH] fix: arm64: syscall: use live x0 for syscall_get_arguments() arg0 2026-06-01 12:43 ` Will Deacon @ 2026-06-03 9:07 ` Yiqi Sun 0 siblings, 0 replies; 3+ messages in thread From: Yiqi Sun @ 2026-06-03 9:07 UTC (permalink / raw) To: will Cc: catalin.marinas, kees, keno, linux-arm-kernel, linux-kernel, luis.machado, mark.rutland, rmk+kernel, ruanjinjie, sunyiqixm On Mon, 1 Jun 2026 13:43:42 +0100, Well wrote: > On Fri, May 29, 2026 at 02:54:44PM +0800, Yiqi Sun wrote: > > On arm64, seccomp obtains syscall arguments via syscall_get_arguments(), > > where arg0 is currently read from regs->orig_x0. However, the syscall > > wrapper consumes live arguments from regs->regs[0..5]. > > > > A ptracer can modify x0 on syscall-enter stop before seccomp runs, > > but cannot update orig_x0 through that interface. This can > > leave seccomp checking stale arg0 while the syscall executes with updated > > live x0, allowing seccomp bypass when filters depend on arg0. > > > > Make syscall_get_arguments() read arg0 from regs->regs[0], matching the > > actual dispatch arguments and removing this desynchronization. > > > > Fixes: f27bb139c387 ("arm64: Miscellaneous library functions") > > Signed-off-by: Yiqi Sun <sunyiqixm@gmail•com> > > --- > > arch/arm64/include/asm/syscall.h | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/arch/arm64/include/asm/syscall.h b/arch/arm64/include/asm/syscall.h > > index 5e4c7fc44f73..4bdb4d3ce2b4 100644 > > --- a/arch/arm64/include/asm/syscall.h > > +++ b/arch/arm64/include/asm/syscall.h > > @@ -81,7 +81,7 @@ static inline void syscall_get_arguments(struct task_struct *task, > > struct pt_regs *regs, > > unsigned long *args) > > { > > - args[0] = regs->orig_x0; > > + args[0] = regs->regs[0]; > > args[1] = regs->regs[1]; > > args[2] = regs->regs[2]; > > args[3] = regs->regs[3]; > > -- > > 2.34.1 > > Hrm, this looks like a long-standing issue and I'm pretty nervous about > changing it :/ > > How did you spot it? I share your concern here, and I’m trying to be very careful with any behavior change. I spotted this while comparing seccomp+ptrace ordering across arches. I had previously looked at x86/x86_64 (including the seccomp/ptrace ordering fix from more than 10 years ago), and then checked whether other arches like arm64 had the same issue. > A quick look at the code suggests we have a similar issue with > audit_syscall_entry(), so if we take your patch here then it will silently > introduce a behavioural change to this guy: > > https://lore.kernel.org/all/20260320102620.1336796-5-ruanjinjie@huawei.com/ > > I also notice that the compat ptrace interface allows 'orig_x0' to be > set -- could that cause issues with things like syscall_rollback()? > Will You are right that on arm64, audit_syscall_entry() still takes arg0 from orig_x0, so taking only this seccomp fix would diverge seccomp and audit semantics. I also checked syscall_rollback(): on arm64 it restores regs[0] from orig_x0, and orig_x0 is captured at syscall entry before the ptrace syscall-stop hook. So rollback normally returns to the syscall-entry state (i.e. pre-ptrace argument value), which does not look like a new security issue by itself. compat ptrace can explicitly write orig_x0, but that is existing tracer-controlled behavior and does not, by itself, cross a new security boundary introduced by this patch. If you agree, I can send a follow-up later so seccomp/audit stay consistent. Yiqi Sun ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-06-03 9:07 UTC | newest] Thread overview: 3+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2026-05-29 6:54 [PATCH] fix: arm64: syscall: use live x0 for syscall_get_arguments() arg0 Yiqi Sun 2026-06-01 12:43 ` Will Deacon 2026-06-03 9:07 ` Yiqi Sun
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox