git: 8b11e7df3a62 - releng/14.3 - kern: fix auditing of ptrace(2) syscall requests

From: Mark Johnston <markj_at_FreeBSD.org>
Date: Tue, 30 Jun 2026 17:20:38 UTC
The branch releng/14.3 has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=8b11e7df3a62de6469d6d265d3e68b59763d82f4

commit 8b11e7df3a62de6469d6d265d3e68b59763d82f4
Author:     Kyle Evans <kevans@FreeBSD.org>
AuthorDate: 2026-06-25 17:02:47 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2026-06-30 02:32:02 +0000

    kern: fix auditing of ptrace(2) syscall requests
    
    `error` here is the return value of syscall_thread_enter() rather than
    the syscall itself, so the committed audit records do not reflect
    reality.  This is less harmful than them recording an error when the
    operation actually succeeded, but it could still possibly be used to
    throw off IDS techniques with things like bsmtrace.
    
    Approved by:    so
    Security:       FreeBSD-SA-26:45.audit
    Security:       CVE-2026-49426
    Reviewed by:    des, kib, markj, csjp
    Differential Revision:  https://reviews.freebsd.org/D57847
---
 sys/kern/kern_sig.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sys/kern/kern_sig.c b/sys/kern/kern_sig.c
index eda533d73522..41bedf2c1972 100644
--- a/sys/kern/kern_sig.c
+++ b/sys/kern/kern_sig.c
@@ -2764,7 +2764,7 @@ ptrace_syscallreq(struct thread *td, struct proc *p,
 	td->td_errno = nerror;
 
 	if (audited)
-		AUDIT_SYSCALL_EXIT(error, td);
+		AUDIT_SYSCALL_EXIT(tsr->ts_ret.sr_error, td);
 	if (!sy_thr_static)
 		syscall_thread_exit(td, se);
 }