When you get the necessary behavior for this to hang, it hangs at the brk call. You can see this by running strace -f ldd /bin/busybox (as an example):
[pid 4738] execve("/libx32/ld-linux-x32.so.2", ["/libx32/ld-linux-x32.so.2"], [/* 20 vars */]) = 0
[ Process PID=4738 runs in x32 mode. ]
[pid 4738] brk(0
I'm also attaching the disassembled code and the function that breaks. The specific line is:
RBX: ffff8800dd446600
R15: 0000000002000000
Value of the faulty result: ffff8800e5446630
Result = RBX + 4*R15 + 0x30
And this corresponds to this memory access in audit_filter_syscall
if ((e->rule.mask[word] & bit) == bit &&
After much staring at the code and the registers, we believe that the problem is that word is R15 and it's too large. It comes from:
int word = AUDIT_WORD(ctx->major);
And it's supposed to be the syscall number that is being executed. The assembly code that adds the auditing does not seem to take into account the 32bit nature of this value.
When you get the necessary behavior for this to hang, it hangs at the brk call. You can see this by running strace -f ldd /bin/busybox (as an example):
[pid 4738] execve( "/libx32/ ld-linux- x32.so. 2", ["/libx32/ ld-linux- x32.so. 2"], [/* 20 vars */]) = 0
[ Process PID=4738 runs in x32 mode. ]
[pid 4738] brk(0
I'm also attaching the disassembled code and the function that breaks. The specific line is:
0xffffffff810fcdd0 <+144>: mov 0x30(%rbx, %r15,4) ,%eax
Values of the mentioned registers:
RBX: ffff8800dd446600
R15: 0000000002000000
Value of the faulty result: ffff8800e5446630
Result = RBX + 4*R15 + 0x30
And this corresponds to this memory access in audit_filter_ syscall
if ((e->rule. mask[word] & bit) == bit &&
After much staring at the code and the registers, we believe that the problem is that word is R15 and it's too large. It comes from:
int word = AUDIT_WORD( ctx->major) ;
And it's supposed to be the syscall number that is being executed. The assembly code that adds the auditing does not seem to take into account the 32bit nature of this value.