git: d68c2e77d70c - releng/14.4 - kern: fix auditing of ptrace(2) syscall requests
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 30 Jun 2026 17:21:05 UTC
The branch releng/14.4 has been updated by markj:
URL: https://cgit.FreeBSD.org/src/commit/?id=d68c2e77d70c81d51c27120baffcfe3ebbd4c849
commit d68c2e77d70c81d51c27120baffcfe3ebbd4c849
Author: Kyle Evans <kevans@FreeBSD.org>
AuthorDate: 2026-06-25 17:02:47 +0000
Commit: Mark Johnston <markj@FreeBSD.org>
CommitDate: 2026-06-29 19:17:30 +0000
kern: fix auditing of ptrace(2) syscall requests
`error` here is the return value of syscall_thread_enter() rather than
the syscall itself, so the committed audit records do not reflect
reality. This is less harmful than them recording an error when the
operation actually succeeded, but it could still possibly be used to
throw off IDS techniques with things like bsmtrace.
Approved by: so
Security: FreeBSD-SA-26:45.audit
Security: CVE-2026-49426
Reviewed by: des, kib, markj, csjp
Differential Revision: https://reviews.freebsd.org/D57847
---
sys/kern/kern_sig.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sys/kern/kern_sig.c b/sys/kern/kern_sig.c
index 7f399586f639..88c93b98b646 100644
--- a/sys/kern/kern_sig.c
+++ b/sys/kern/kern_sig.c
@@ -2779,7 +2779,7 @@ ptrace_syscallreq(struct thread *td, struct proc *p,
td->td_errno = nerror;
if (audited)
- AUDIT_SYSCALL_EXIT(error, td);
+ AUDIT_SYSCALL_EXIT(tsr->ts_ret.sr_error, td);
if (!sy_thr_static)
syscall_thread_exit(td, se);
}