Fix big-endian byte order for 64-bit argument comparisons#44
Merged
robertswiecki merged 1 commit intogoogle:masterfrom Apr 4, 2026
Merged
Conversation
The ARG_LOW and ARG_HIGH macros in codegen.c assumed little-endian byte order, placing the low 32-bit word of a 64-bit syscall argument at the base offset and the high word at base + 4. On big-endian architectures (MIPS, MIPS64, M68K), the word order is reversed: the high word is at the base offset and the low word is at base + 4. This caused seccomp BPF filters with 64-bit argument comparisons to check the wrong word halves on big-endian targets, potentially allowing syscalls through that should have been blocked. The fix detects big-endian targets at compile time using the __AUDIT_ARCH_LE flag (0x40000000) from the audit architecture value and swaps the word offsets accordingly.
Collaborator
|
Thank you! BE ftw! :) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The
ARG_LOWandARG_HIGHmacros incodegen.cassume little-endian byte order when loading 32-bit words from 64-bitseccomp_data.args[]entries. On big-endian targets (MIPS, MIPS64, M68K), the high and low 32-bit words within a 64-bit value are stored in the opposite order, causing the generated BPF to compare the wrong halves.This means seccomp policies using 64-bit argument comparisons produce incorrect BPF filters on big-endian architectures, where a filter intended to match
arg == 0x0000000100000000would instead matcharg == 0x00000001.Fix
Use the
__AUDIT_ARCH_LEflag (0x40000000) from the audit architecture value to detect big-endian targets at compile time and swap the word offsets inARG_LOW/ARG_HIGHaccordingly.Testing
All 32 core tests pass (3 include-file test failures are pre-existing and unrelated).