[PATCH] fix: arm: syscall: use live r0 for syscall_get_arguments() arg0

[Yiqi Sun]

On ARM 32-bit, seccomp obtains syscall arguments via
syscall_get_arguments(), where arg0 is currently read from
regs->ARM_ORIG_r0.

However, the actual syscall dispatch consumes live arguments from
regs->ARM_r0..ARM_r6 on the traced entry path after ptrace interaction.
Since ptrace can update pt_regs before seccomp, a tracer can create
ARM_r0 != ARM_ORIG_r0 so seccomp checks one value while the syscall runs
with another, allowing arg0-based policy bypass.

Make syscall_get_arguments() copy the live argument registers from
regs->ARM_r0..ARM_r5, matching what syscall dispatch actually uses and
removing this desynchronization.

Fixes: 0f3912fd934c ("arm/ptrace: run seccomp after ptrace")
Signed-off-by: Yiqi Sun <sunyiqixm at gmail.com>
---
 arch/arm/include/asm/syscall.h | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/arch/arm/include/asm/syscall.h b/arch/arm/include/asm/syscall.h
index 574bbcc55382..809c86b5fd5a 100644
--- a/arch/arm/include/asm/syscall.h
+++ b/arch/arm/include/asm/syscall.h
@@ -96,10 +96,7 @@ static inline void syscall_get_arguments(struct task_struct *task,
 					 struct pt_regs *regs,
 					 unsigned long *args)
 {
-	args[0] = regs->ARM_ORIG_r0;
-	args++;
-
-	memcpy(args, &regs->ARM_r0 + 1, 5 * sizeof(args[0]));
+	memcpy(args, &regs->ARM_r0, 6 * sizeof(args[0]));
 }
 
 static inline void syscall_set_arguments(struct task_struct *task,
-- 
2.34.1