Comment 8 for bug 1302605

When you get the necessary behavior for this to hang, it hangs at the brk call. You can see this by running strace -f ldd /bin/busybox (as an example):

[pid 4738] execve("/libx32/ld-linux-x32.so.2", ["/libx32/ld-linux-x32.so.2"], [/* 20 vars */]) = 0
[ Process PID=4738 runs in x32 mode. ]
[pid 4738] brk(0

I'm also attaching the disassembled code and the function that breaks. The specific line is:

0xffffffff810fcdd0 <+144>: mov 0x30(%rbx,%r15,4),%eax

Values of the mentioned registers:

RBX: ffff8800dd446600
R15: 0000000002000000
Value of the faulty result: ffff8800e5446630

Result = RBX + 4*R15 + 0x30

And this corresponds to this memory access in audit_filter_syscall

    if ((e->rule.mask[word] & bit) == bit &&

After much staring at the code and the registers, we believe that the problem is that word is R15 and it's too large. It comes from:

  int word = AUDIT_WORD(ctx->major);

And it's supposed to be the syscall number that is being executed. The assembly code that adds the auditing does not seem to take into account the 32bit nature of this value.