On Sun, Jan 31, 2021 at 3:18 PM Kyle Huey <m...@kylehuey.com> wrote: > > The key to triggering this bug is to enter a ptrace syscall stop and > then use PTRACE_SINGLESTEP to exit it. On a good kernel this will not > result in any userspace code execution in the tracee because on the > way out of the kernel's syscall handling path the singlestep trap will > be raised immediately. On a bad kernel that stop will not be raised, > and in the example below, the program will crash.
Thanks, great explanation, and I can certainly see the behavior you mention. I wonder if the simple solution is to just (a) always set one of the SYSCALL_WORK_EXIT bits on the child in ptrace (exactly to catch the child on system call exit) (b) basically revert 299155244770 ("entry: Drop usage of TIF flags in the generic syscall code") and have the syscall exit code check the TIF_SINGLESTEP flag Hmm? Linus