bugzilla-daemon at bugzilla.mindrot.org
2019-Oct-31 01:02 UTC
[Bug 3085] New: seccomp issue after upgrading openssl
https://bugzilla.mindrot.org/show_bug.cgi?id=3085 Bug ID: 3085 Summary: seccomp issue after upgrading openssl Product: Portable OpenSSH Version: 8.1p1 Hardware: Other OS: Linux Status: NEW Severity: critical Priority: P5 Component: sshd Assignee: unassigned-bugs at mindrot.org Reporter: brunni at netestate.de hi after upgrading openssl from 1.0.2p to 1.1.1d and recompiling my previously working version of openssh-8.1p1, I suddenly cannot connect any more: debug1: SSH2_MSG_KEXINIT sent Connection reset by 81.209.177.7 port 1111 The server side looks like this: Connection from 81.209.177.119 port 55768 on 81.209.177.7 port 1111 debug1: Local version string SSH-2.0-OpenSSH_8.1 debug1: Remote protocol version 2.0, remote software version OpenSSH_8.1 debug1: match: OpenSSH_8.1 pat OpenSSH* compat 0x04000000 debug2: fd 3 setting O_NONBLOCK debug3: ssh_sandbox_init: preparing seccomp filter sandbox debug2: Network child is on pid 17293 debug3: preauth child monitor started debug3: privsep user:group 39:38 [preauth] debug1: permanently_set_uid: 39/38 [preauth] debug3: ssh_sandbox_child: setting PR_SET_NO_NEW_PRIVS [preauth] debug3: ssh_sandbox_child: attaching seccomp filter program [preauth] debug1: monitor_read_log: child log fd closed debug3: mm_request_receive entering debug1: do_cleanup debug1: Killing privsep child 17293 Adding --with-sandbox=rlimit to the configure options solved the problem so it must be related to the seccomp sandbox. I know there have been fixes to it regarding openssl. Is it possible that there are still issues? I have Linux Kernel 4.9.195 with glibc 2.30 and gcc 7.3.0. -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2019-Oct-31 02:04 UTC
[Bug 3085] seccomp issue after upgrading openssl
https://bugzilla.mindrot.org/show_bug.cgi?id=3085 Darren Tucker <dtucker at dtucker.net> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dtucker at dtucker.net --- Comment #1 from Darren Tucker <dtucker at dtucker.net> ---> Is it possible that there are still issues?it's possible, but it depends on many variables. If you build with ./configure --with-sandbox=seccomp_filter --with-cflags=-DSANDBOX_SECCOMP_FILTER_DEBUG then connect to it you should get a log message with the syscall that's being denied (but note that the resulting binary is not signal safe, so do not deploy it in production). -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2019-Oct-31 02:28 UTC
[Bug 3085] seccomp issue after upgrading openssl
https://bugzilla.mindrot.org/show_bug.cgi?id=3085 --- Comment #2 from brunni at netestate.de --- It won't compile with --with-cflags=-DSANDBOX_SECCOMP_FILTER_DEBUG Kernel headers in /usr/include are from 4.9.195 - it looks like ggc does not like them? cc -g -O2 -pipe -Wno-error=format-truncation -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -DSANDBOX_SECCOMP_FILTER_DEBUG -fPIE -I. -I. -I/usr/lib/ssl/include -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE -DSSHDIR=\"/etc\" -D_PATH_SSH_PROGRAM=\"/tmp/openssh/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/tmp/openssh/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/tmp/openssh/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/tmp/openssh/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/tmp/openssh/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c sandbox-seccomp-filter.c -o sandbox-seccomp-filter.o In file included from /usr/include/bits/types/siginfo_t.h:6:0, from /usr/include/signal.h:57, from /usr/include/sys/param.h:28, from includes.h:26, from sandbox-seccomp-filter.c:38: /usr/include/bits/types/__sigval_t.h:24:7: error: redefinition of 'union sigval' union sigval ^~~~~~ In file included from /usr/include/asm/siginfo.h:14:0, from sandbox-seccomp-filter.c:32: /usr/include/asm-generic/siginfo.h:7:15: note: originally defined here typedef union sigval { ^~~~~~ /usr/include/bits/types/siginfo_t.h:58:14: error: expected ':', ',', ';', '}' or '__attribute__' before '.' token __pid_t si_pid; /* Sending process ID. */ ^ /usr/include/bits/types/siginfo_t.h:65:10: error: expected ':', ',', ';', '}' or '__attribute__' before '.' token int si_tid; /* Timer ID. */ ^ /usr/include/bits/types/siginfo_t.h:73:14: error: expected ':', ',', ';', '}' or '__attribute__' before '.' token __pid_t si_pid; /* Sending process ID. */ ^ /usr/include/bits/types/siginfo_t.h:81:14: error: expected ':', ',', ';', '}' or '__attribute__' before '.' token __pid_t si_pid; /* Which child. */ ^ /usr/include/bits/types/siginfo_t.h:91:12: error: expected ':', ',', ';', '}' or '__attribute__' before '.' token void *si_addr; /* Faulting insn/memory ref. */ ^ /usr/include/bits/types/siginfo_t.h:110:21: error: expected ':', ',', ';', '}' or '__attribute__' before '.' token __SI_BAND_TYPE si_band; /* Band event for SIGPOLL. */ ^ In file included from /usr/include/signal.h:57:0, from /usr/include/sys/param.h:28, from includes.h:26, from sandbox-seccomp-filter.c:38: /usr/include/bits/types/siginfo_t.h:124:5: error: conflicting types for 'siginfo_t' } siginfo_t __SI_ALIGNMENT; ^~~~~~~~~ In file included from /usr/include/asm/siginfo.h:14:0, from sandbox-seccomp-filter.c:32: /usr/include/asm-generic/siginfo.h:118:24: note: previous declaration of 'siginfo_t' was here } __ARCH_SI_ATTRIBUTES siginfo_t; ^~~~~~~~~ /usr/include/bits/siginfo-consts.h:38:3: error: expected identifier before '-' token SI_DETHREAD = -7, /* Sent by execve killing subsidiary ^ /usr/include/bits/siginfo-consts.h:73:3: error: expected identifier before '(' token ILL_ILLOPC = 1, /* Illegal opcode. */ ^ /usr/include/bits/siginfo-consts.h:96:3: error: expected identifier before '(' token FPE_INTDIV = 1, /* Integer divide by zero. */ ^ /usr/include/bits/siginfo-consts.h:121:3: error: expected identifier before '(' token SEGV_MAPERR = 1, /* Address not mapped to object. */ ^ /usr/include/bits/siginfo-consts.h:140:3: error: expected identifier before '(' token BUS_ADRALN = 1, /* Invalid address alignment. */ ^ /usr/include/bits/siginfo-consts.h:157:3: error: expected identifier before '(' token TRAP_BRKPT = 1, /* Process breakpoint. */ ^ /usr/include/bits/siginfo-consts.h:174:3: error: expected identifier before '(' token CLD_EXITED = 1, /* Child has exited. */ ^ /usr/include/bits/siginfo-consts.h:191:3: error: expected identifier before '(' token POLL_IN = 1, /* Data input available. */ ^ In file included from /usr/include/signal.h:62:0, from /usr/include/sys/param.h:28, from includes.h:26, from sandbox-seccomp-filter.c:38: /usr/include/bits/types/sigval_t.h:16:20: error: conflicting types for 'sigval_t' typedef __sigval_t sigval_t; ^~~~~~~~ In file included from /usr/include/asm/siginfo.h:14:0, from sandbox-seccomp-filter.c:32: /usr/include/asm-generic/siginfo.h:10:3: note: previous declaration of 'sigval_t' was here } sigval_t; ^~~~~~~~ In file included from /usr/include/signal.h:66:0, from /usr/include/sys/param.h:28, from includes.h:26, from sandbox-seccomp-filter.c:38: /usr/include/bits/types/sigevent_t.h:22:16: error: redefinition of 'struct sigevent' typedef struct sigevent ^~~~~~~~ In file included from /usr/include/asm/siginfo.h:14:0, from sandbox-seccomp-filter.c:32: /usr/include/asm-generic/siginfo.h:290:16: note: originally defined here typedef struct sigevent { ^~~~~~~~ In file included from /usr/include/signal.h:66:0, from /usr/include/sys/param.h:28, from includes.h:26, from sandbox-seccomp-filter.c:38: /usr/include/bits/types/sigevent_t.h:42:5: error: conflicting types for 'sigevent_t' } sigevent_t; ^~~~~~~~~~ In file included from /usr/include/asm/siginfo.h:14:0, from sandbox-seccomp-filter.c:32: /usr/include/asm-generic/siginfo.h:303:3: note: previous declaration of 'sigevent_t' was here } sigevent_t; ^~~~~~~~~~ /usr/include/bits/sigevent-consts.h:29:3: error: expected identifier before numeric constant SIGEV_SIGNAL = 0, /* Notify via signal. */ ^ make: *** [Makefile:166: sandbox-seccomp-filter.o] Error 1 -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2019-Oct-31 02:54 UTC
[Bug 3085] seccomp issue after upgrading openssl
https://bugzilla.mindrot.org/show_bug.cgi?id=3085 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |djm at mindrot.org Blocks| |2988 Severity|critical |major --- Comment #3 from Damien Miller <djm at mindrot.org> --- Please try -current, or cherry-pick this commit: commit 3ef92a657444f172b61f92d5da66d94fa8265602 Author: Lonnie Abelbeck <lonnie at abelbeck.com> Date: Tue Oct 1 09:05:09 2019 -0500 Deny (non-fatal) shmget/shmat/shmdt in preauth privsep child. New wait_random_seeded() function on OpenSSL 1.1.1d uses shmget, shmat, and shmdt in the preauth codepath, deny (non-fatal) in seccomp_filter sandbox. Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=2988 [Bug 2988] Tracking bug for 8.1 release -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2019-Oct-31 03:57 UTC
[Bug 3085] seccomp issue after upgrading openssl
https://bugzilla.mindrot.org/show_bug.cgi?id=3085 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks|2988 |3079 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=2988 [Bug 2988] Tracking bug for 8.1 release https://bugzilla.mindrot.org/show_bug.cgi?id=3079 [Bug 3079] Tracking bug for 8.2 release -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2019-Oct-31 08:26 UTC
[Bug 3085] seccomp issue after upgrading openssl
https://bugzilla.mindrot.org/show_bug.cgi?id=3085 --- Comment #4 from brunni at netestate.de --- (In reply to Damien Miller from comment #3)> Please try -current, or cherry-pick this commit: > > commit 3ef92a657444f172b61f92d5da66d94fa8265602I am using the latest release and that commit is part of my source: #ifdef __NR_stat64 SC_DENY(__NR_stat64, EACCES), #endif #ifdef __NR_shmget SC_DENY(__NR_shmget, EACCES), #endif #ifdef __NR_shmat SC_DENY(__NR_shmat, EACCES), #endif #ifdef __NR_shmdt SC_DENY(__NR_shmdt, EACCES), #endif /* Syscalls to permit */ #ifdef __NR_brk SC_ALLOW(__NR_brk), #endif -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2019-Oct-31 08:58 UTC
[Bug 3085] seccomp issue after upgrading openssl
https://bugzilla.mindrot.org/show_bug.cgi?id=3085 --- Comment #5 from Damien Miller <djm at mindrot.org> --- ok, then you'll either need to get the seccomp debugging working on your system to figure out which syscall is failing, or you could strace. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2019-Oct-31 12:16 UTC
[Bug 3085] seccomp issue after upgrading openssl
https://bugzilla.mindrot.org/show_bug.cgi?id=3085 --- Comment #6 from brunni at netestate.de --- (In reply to Damien Miller from comment #5)> ok, then you'll either need to get the seccomp debugging working on > your system to figure out which syscall is failing, or you could > strace.Does this help? [pid 26960] getuid32() = 39 [pid 26960] geteuid32() = 39 [pid 26960] SYS_340(0, 0x1, 0xffb91c3c, 0, 0x56668aa9) = 0 [pid 26960] SYS_340(0, 0x7, 0xffb91c3c, 0, 0x56668aa9) = 0 [pid 26960] SYS_340(0, 0x6, 0xffb91c3c, 0, 0x56668aa9) = 0 [pid 26960] prctl(0x26, 0x1, 0, 0, 0) = 0 [pid 26960] prctl(0x16, 0x2, 0x566caf1c, 0x5662064e, 0) = 0 [pid 26960] write(7, "\0\0\0I\0\0\0\5\0\0\0Alist_hostkey_types: r"..., 77 <unfinished ...> [pid 26958] <... poll resumed> ) = 2 ([{fd=5, revents=POLLIN|POLLHUP}, {fd=6, revents=POLLHUP}]) [pid 26960] +++ killed by SIGSYS +++ --- SIGCHLD (Child exited) @ 0 (0) --- -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2019-Nov-01 03:38 UTC
[Bug 3085] seccomp issue after upgrading openssl
https://bugzilla.mindrot.org/show_bug.cgi?id=3085 --- Comment #7 from Damien Miller <djm at mindrot.org> --- No, I guess the syscall violation took down the process before strace got a chance to see what what being attempted. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2019-Nov-01 03:44 UTC
[Bug 3085] seccomp issue after upgrading openssl
https://bugzilla.mindrot.org/show_bug.cgi?id=3085 --- Comment #8 from Darren Tucker <dtucker at dtucker.net> --- What's the hardware platform (you selected "other", I'm guessing S/390?) -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2019-Nov-01 08:28 UTC
[Bug 3085] seccomp issue after upgrading openssl
https://bugzilla.mindrot.org/show_bug.cgi?id=3085 --- Comment #9 from brunni at netestate.de --- (In reply to Darren Tucker from comment #8)> What's the hardware platform (you selected "other", I'm guessing > S/390?)x86 (64 bit kernel running a 32 bit Linux) -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2019-Nov-07 12:15 UTC
[Bug 3085] seccomp issue after upgrading openssl
https://bugzilla.mindrot.org/show_bug.cgi?id=3085 --- Comment #10 from brunni at netestate.de --- (In reply to Damien Miller from comment #5)> ok, then you'll either need to get the seccomp debugging working on > your system to figure out which syscall is failing, or you could > strace.It seems it's not my fault openssh is not compiling with seccomp debugging. See https://bugs.gentoo.org/651740 -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2020-Feb-04 00:44 UTC
[Bug 3085] seccomp issue after upgrading openssl
https://bugzilla.mindrot.org/show_bug.cgi?id=3085 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |3117 --- Comment #11 from Damien Miller <djm at mindrot.org> --- Prepare for 8.2 release; retarget bugs Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3117 [Bug 3117] Tracking bug for 8.2 release -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2020-Feb-04 00:45 UTC
[Bug 3085] seccomp issue after upgrading openssl
https://bugzilla.mindrot.org/show_bug.cgi?id=3085 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks|3079 | Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3079 [Bug 3079] Tracking bug for 8.2 release -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2020-Apr-14 23:16 UTC
[Bug 3085] seccomp issue after upgrading openssl
https://bugzilla.mindrot.org/show_bug.cgi?id=3085 Nicholas Niro <blowfist at xroutine.net> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |blowfist at xroutine.net --- Comment #12 from Nicholas Niro <blowfist at xroutine.net> --- Created attachment 3382 --> https://bugzilla.mindrot.org/attachment.cgi?id=3382&action=edit A patch that fixed my seccomp syscall issue I did what was suggested on the thread for the Bug 3085 and found out that my issue was caused to the syscall number 72 being denied. I found out it is the syscall pselect6 which *should* in fact be allowed. It turns out that including the syscall header file properly sets __NR_pselect6 and thus fixes this issue. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2020-Apr-14 23:21 UTC
[Bug 3085] seccomp issue after upgrading openssl
https://bugzilla.mindrot.org/show_bug.cgi?id=3085 --- Comment #13 from Nicholas Niro <blowfist at xroutine.net> --- (In reply to Nicholas Niro from comment #12)> Created attachment 3382 [details] > A patch that fixed my seccomp syscall issue > > I did what was suggested on the thread for the Bug 3085 and found > out that my issue was caused to the syscall number 72 being denied. > I found out it is the syscall pselect6 which *should* in fact be > allowed. It turns out that including the syscall header file > properly sets __NR_pselect6 and thus fixes this issue.I didn't expect that attaching a file would erase the rest of my comment. I just mentioned that I had exactly the same issue as the person that created this post. I compiled openssh v8.2p1 on an aarch64 system with musl-libc (statically linked and without openssl) for my project jailTools https://github.com/nniro/jailTools . This bug only seems to happen on my pine book pro. On my x86_64 system I don't have any issues. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2020-Apr-15 00:53 UTC
[Bug 3085] seccomp issue after upgrading openssl
https://bugzilla.mindrot.org/show_bug.cgi?id=3085 --- Comment #14 from Darren Tucker <dtucker at dtucker.net> --- Comment on attachment 3382 --> https://bugzilla.mindrot.org/attachment.cgi?id=3382 A patch that fixed my seccomp syscall issue Thanks for the analysis.>+#include <sys/syscall.h>I'm not sure if every distro and/or version has that file. Of the ones I have at hand, Fedora 30 (x86-64) had it at /usr/include/sys/syscall.h, while Debian (arm64) and Ubuntu (x86-64) do not (but did have it some other place that the compiler could find it). http://man7.org/linux/man-pages/man2/syscall.2.html documents it, so maybe we can rely on it... -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2020-Apr-15 01:03 UTC
[Bug 3085] seccomp issue after upgrading openssl
https://bugzilla.mindrot.org/show_bug.cgi?id=3085 --- Comment #15 from Darren Tucker <dtucker at dtucker.net> --- I've applied it without a configure test, we can add one later if necessary. Thanks. brunni: could you please see if this resolves your problem? -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2020-Apr-15 09:51 UTC
[Bug 3085] seccomp issue after upgrading openssl
https://bugzilla.mindrot.org/show_bug.cgi?id=3085 --- Comment #16 from brunni at netestate.de --- (In reply to Darren Tucker from comment #15)> I've applied it without a configure test, we can add one later if > necessary. Thanks. > > brunni: could you please see if this resolves your problem?We are talking about this change?>+#include <sys/syscall.h>No I still get the same compile error with SANDBOX_SECCOMP_FILTER_DEBUG after applying that patch. In other news I had a big migration to a 64bit toolchain (gcc 7.5.0 with glibc 2.31) and successfully upgraded to openssh-8.2p1 running the seccomp_filter sandbox some days before. I still have a server with the old 32bit toolchain though in case you want to do further analysis. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2020-Apr-15 18:49 UTC
[Bug 3085] seccomp issue after upgrading openssl
https://bugzilla.mindrot.org/show_bug.cgi?id=3085 --- Comment #17 from Nicholas Niro <blowfist at xroutine.net> --- (In reply to brunni from comment #16)> (In reply to Darren Tucker from comment #15) > > I've applied it without a configure test, we can add one later if > > necessary. Thanks. > > > > brunni: could you please see if this resolves your problem? > > We are talking about this change? > > >+#include <sys/syscall.h> > > No I still get the same compile error with > SANDBOX_SECCOMP_FILTER_DEBUG after applying that patch.Try it without that flag at first, see if it fixes your issue. If it still doesn't fix it, you'll need this flag to debug the seccomp filter (and yes, I had compilation issues with that flag too. I could provide you with how I fixed it on my side if you like).> > In other news I had a big migration to a 64bit toolchain (gcc 7.5.0 > with glibc 2.31) and successfully upgraded to openssh-8.2p1 running > the seccomp_filter sandbox some days before. I still have a server > with the old 32bit toolchain though in case you want to do further > analysis.-- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2020-Apr-15 20:00 UTC
[Bug 3085] seccomp issue after upgrading openssl
https://bugzilla.mindrot.org/show_bug.cgi?id=3085 --- Comment #18 from Nicholas Niro <blowfist at xroutine.net> --- I think I just found the cause of the issue. It's a configuration issue for 32bit systems. The file config.h contains : #define SECCOMP_AUDIT_ARCH AUDIT_ARCH_X86_64 even for 32bit systems. I managed to hack fix it by changing X86_64 to I386 and that seems to make sshd with seccomp work correctly. Darren Tucker: I think you'll have more work than expected with your configure script :). (upon checking configure.ac : I notice that at first sight, I386 should be supported but there's obviously a detection bug lurking there.). brunni: can you confirm the value of the variable SECCOMP_AUDIT_ARCH in your config.h? -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2020-Apr-15 20:17 UTC
[Bug 3085] seccomp issue after upgrading openssl
https://bugzilla.mindrot.org/show_bug.cgi?id=3085 --- Comment #19 from Nicholas Niro <blowfist at xroutine.net> --- (In reply to Nicholas Niro from comment #18)> I think I just found the cause of the issue. It's a configuration > issue for 32bit systems. The file config.h contains : #define > SECCOMP_AUDIT_ARCH AUDIT_ARCH_X86_64 even for 32bit systems. I > managed to hack fix it by changing X86_64 to I386 and that seems to > make sshd with seccomp work correctly. > > Darren Tucker: I think you'll have more work than expected with your > configure script :). (upon checking configure.ac : I notice that at > first sight, I386 should be supported but there's obviously a > detection bug lurking there.). > > brunni: can you confirm the value of the variable SECCOMP_AUDIT_ARCH > in your config.h?Actually, upon further investigation on the host I'm testing this on, it seems the host is indeed X86_64 but all the compilation tool set and libraries are 32bit. This ought to confuse any configure script. brunni: I wonder if you are in the same situation too. Darren Tucker: Maybe we could detect the host based on gcc's -dumpmachine output? It would be hackish though and it is a pretty special case. Anyhow, the "correct" way to fix this in the user stand point is by passing something like --host=i686-linux-gnu to the configure script. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2020-Apr-15 20:47 UTC
[Bug 3085] seccomp issue after upgrading openssl
https://bugzilla.mindrot.org/show_bug.cgi?id=3085 --- Comment #20 from brunni at netestate.de --- (In reply to Nicholas Niro from comment #19)> Actually, upon further investigation on the host I'm testing this > on, it seems the host is indeed X86_64 but all the compilation tool > set and libraries are 32bit. This ought to confuse any configure > script.>From my experience, 99% of them work out of the box with that setup.> brunni: I wonder if you are in the same situation too.Exactly. 64bit kernel running 32bit binaries and toolchain. On my old machine. The reason for this was that the spectre/meltdown patches for the kernel were 64bit only when they came out. And yes, config.h contains #define SECCOMP_AUDIT_ARCH AUDIT_ARCH_X86_64 on my old machine.> Anyhow, the "correct" way to fix this in the user stand point is by > passing something like --host=i686-linux-gnu to the configure script.I'm glad I don't have to worry about such things any more as I finally made the step to 64bit. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2020-May-08 03:38 UTC
[Bug 3085] seccomp issue after upgrading openssl
https://bugzilla.mindrot.org/show_bug.cgi?id=3085 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |3162 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3162 [Bug 3162] Tracking bug for 8.4 release -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2020-May-08 03:39 UTC
[Bug 3085] seccomp issue after upgrading openssl
https://bugzilla.mindrot.org/show_bug.cgi?id=3085 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks|3117 | --- Comment #21 from Damien Miller <djm at mindrot.org> --- Retarget bugs to 8.4 release Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3117 [Bug 3117] Tracking bug for 8.3 release -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2020-Jul-10 04:20 UTC
[Bug 3085] seccomp issue after upgrading openssl
https://bugzilla.mindrot.org/show_bug.cgi?id=3085 --- Comment #22 from Damien Miller <djm at mindrot.org> --- It looks like the only thing remaining from this bug is the SECCOMP_AUDIT_ARCH setting in configure. Can you tell me what configure identifies your host system as? Maybe we can fix this. Look for the line like: checking host system type... x86_64-pc-linux-gnu -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2020-Jul-10 09:24 UTC
[Bug 3085] seccomp issue after upgrading openssl
https://bugzilla.mindrot.org/show_bug.cgi?id=3085 --- Comment #23 from brunni at netestate.de --- (In reply to Damien Miller from comment #22)> It looks like the only thing remaining from this bug is the > SECCOMP_AUDIT_ARCH setting in configure. Can you tell me what > configure identifies your host system as? Maybe we can fix this. > Look for the line like: > > checking host system type... x86_64-pc-linux-gnuI still have the old system with the 64bit kernel and the 32bit toolchain. Which version of openSSH should I use? -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2020-Jul-13 03:52 UTC
[Bug 3085] seccomp issue after upgrading openssl
https://bugzilla.mindrot.org/show_bug.cgi?id=3085 --- Comment #24 from Damien Miller <djm at mindrot.org> --- For testing this, any really. OpenSSH 8.3 is ideal since it uses the most recent version of GNU configure. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2020-Jul-13 12:31 UTC
[Bug 3085] seccomp issue after upgrading openssl
https://bugzilla.mindrot.org/show_bug.cgi?id=3085 --- Comment #25 from brunni at netestate.de --- (In reply to Damien Miller from comment #22)> It looks like the only thing remaining from this bug is the > SECCOMP_AUDIT_ARCH setting in configure. Can you tell me what > configure identifies your host system as? Maybe we can fix this. > Look for the line like: > > checking host system type... x86_64-pc-linux-gnu./configure checking for cc... cc checking whether the C compiler works... yes checking for C compiler default output file name... a.out checking for suffix of executables... checking whether we are cross compiling... no checking for suffix of object files... o checking whether we are using the GNU C compiler... yes checking whether cc accepts -g... yes checking for cc option to accept ISO C89... none needed checking build system type... x86_64-pc-linux-gnu checking host system type... x86_64-pc-linux-gnu -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2020-Jul-13 22:59 UTC
[Bug 3085] seccomp issue after upgrading openssl
https://bugzilla.mindrot.org/show_bug.cgi?id=3085 --- Comment #26 from Damien Miller <djm at mindrot.org> --- Created attachment 3427 --> https://bugzilla.mindrot.org/attachment.cgi?id=3427&action=edit Detect X32 when setting seccomp audit_arch Please try this patch. It should detect X32 and set the audit arch to i386. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2020-Jul-14 08:50 UTC
[Bug 3085] seccomp issue after upgrading openssl
https://bugzilla.mindrot.org/show_bug.cgi?id=3085 --- Comment #27 from brunni at netestate.de --- (In reply to Damien Miller from comment #26)> Created attachment 3427 [details] > Detect X32 when setting seccomp audit_arch > > Please try this patch. It should detect X32 and set the audit arch > to i386.Nope: checking for seccomp architecture... "AUDIT_ARCH_X86_64" grep SECCOMP_AUDIT_ARCH config.h #define SECCOMP_AUDIT_ARCH AUDIT_ARCH_X86_64 I applied the patch and called autoconf and then configure. I also manually checked configure contains the patch. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2020-Jul-14 08:57 UTC
[Bug 3085] seccomp issue after upgrading openssl
https://bugzilla.mindrot.org/show_bug.cgi?id=3085 --- Comment #28 from brunni at netestate.de --- $ac_cv_sizeof_size_t is 4 for me btw - not 32. Sounds about right. So I changed it to: if test "$ac_cv_sizeof_size_t" = "4" ; then And that looks better: grep SECCOMP_AUDIT_ARCH config.h #define SECCOMP_AUDIT_ARCH AUDIT_ARCH_I386 OpenSSH also compiles fine then. Did not do any further tests. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2020-Jul-17 03:22 UTC
[Bug 3085] seccomp issue after upgrading openssl
https://bugzilla.mindrot.org/show_bug.cgi?id=3085 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #29 from Damien Miller <djm at mindrot.org> --- corrected fix committed and will be in OpenSSH 8.4 - thanks -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2020-Oct-26 18:10 UTC
[Bug 3085] seccomp issue after upgrading openssl
https://bugzilla.mindrot.org/show_bug.cgi?id=3085 mirabilos <tg at debian.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|FIXED |--- CC| |tg at debian.org --- Comment #30 from mirabilos <tg at debian.org> --- I?m afraid commit 5b56bd0affea7b02b540bdbc4d1d271b0e4fc885 is completely bogus and must be reverted. Let me first clarify a few things regarding x86 systems. We have three architectures that belong to the x86 group of architectures: - i386 (the original), 32-bit CPU, 32-bit instructions, ILP32 addressing model #if defined(__i386__) kernel + userland GNU: i386-linux-gnu - amd64 (?x86_64?), 64-bit CPU, 64-bit instructions, LP64 addressing model #if defined(__x86_64__) && !defined(__ILP32__) GNU: x86_64-linux-gnu kernel + userland - x32 (amd64ilp32), 64-bit CPU, 64-bit instructions, ILP32 addressing model #if defined(__x86_64__) && defined(__ILP32__) GNU: x86_64-linux-gnux32 userland only (I think the BSD equivalent would be MACHINE=x32 MACHINE_ARCH=amd64 for x32.) Now, the amd64 Linux kernel can run *all three* kinds of machines: - amd64 ELF64 binaries (native to the amd64 kernel) - amd64 ELF32 binaries (a.k.a. x32 binaries) - i386 ELF32 binaries (native to the i386 kernel) This introduces two new problems: ? ?uname -m? prints x86_64 on an amd64 kernel, no matter what the userland architecture is ? people running ?32-bit? applications on a ?64-bit? kernel (such as the initial reporter of this issue) need to run them under the ?linux32? tool, which fixes up uname: $ uname -m; linux32 uname -m x86_64 i686 The reporter could also have used --build=i386-linux-gnu to force configure to end up in the correct switch case, but using linux32 in these cases is the generally accepted correct solution (any errors from not doing so are normally closed as user mistake); I even have (very old) VMs running with i386 userland and amd64 kernel where I made /sbin/init into this shell script: #!/bin/sh exec /usr/bin/linux32 /sbin/init.real "$@" ? GNU autofools? config.guess does not detect x32 correctly; they recently forbade use of $CPP for detection, for some reason, but asking the selected compiler for those predefined macros I noted above is the *only* reliable way to do that, so on x32 users (or generic build system wrappers) need to *always* pass --build=x86_64-linux-gnux32 to DTRT (Debian does this) In short, the reporter did not run x32 but i386 (userland) on their amd64 kernel. People saying ?32 bit? generally (as in, 99.999% safe) mean i386, not x32 (because x32 is so special? people say x32 there). ? x32 ?breaks up? the conventional 32-bit/64-bit mode of thinking; this is not unique (there?s an amd64ilp32 out there which is ARMv8 ILP32 userland, 64-bit instructions) nor new (MIPS has o32/n32/n64, and n32 is also kind of a ?64-bit? mode but ILP32), but it?s the first, TTBOMK, to be a userland-only architecture 8.4p1 now mis-detects x32 as i386 for seccomp architecture; on x32, it must be AUDIT_ARCH_X86_64 like on amd64 (x32 is handled, in the sandbox, by checking for __ILP32__). This completely breaks openssh on x32. My advice is to revert the commit and have the original reporter use the linux32 wrapper around their i386 system. In fact, if seccomp_audit_arch is used in C code _only_ I?d even suggest to let the preprocessor determine it, not autoconf. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2020-Nov-13 03:21 UTC
[Bug 3085] seccomp issue after upgrading openssl
https://bugzilla.mindrot.org/show_bug.cgi?id=3085 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|REOPENED |RESOLVED --- Comment #31 from Damien Miller <djm at mindrot.org> --- 5b56bd0a has been reverted -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2020-Nov-13 03:29 UTC
[Bug 3085] seccomp issue after upgrading openssl
https://bugzilla.mindrot.org/show_bug.cgi?id=3085 Darren Tucker <dtucker at dtucker.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks|3162 |3217 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3162 [Bug 3162] Tracking bug for 8.4 release https://bugzilla.mindrot.org/show_bug.cgi?id=3217 [Bug 3217] Tracking bug for 8.5 release -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2021-Mar-03 22:52 UTC
[Bug 3085] seccomp issue after upgrading openssl
https://bugzilla.mindrot.org/show_bug.cgi?id=3085 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #32 from Damien Miller <djm at mindrot.org> --- close bugs that were resolved in OpenSSH 8.5 release cycle -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2021-Oct-13 14:40 UTC
[Bug 3085] seccomp issue after upgrading openssl
https://bugzilla.mindrot.org/show_bug.cgi?id=3085 Ahmed Sayeed <ahmedsayeed1982 at yahoo.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |ahmedsayeed1982 at yahoo.com --- Comment #33 from Ahmed Sayeed <ahmedsayeed1982 at yahoo.com> --- gdb: fix value_subscript when array upper bound is not known http://www-look-4.com/category/health/ Since commit 7c6f27129631 ("gdb: make get_discrete_bounds check for https://komiya-dental.com/category/crypto/ non-constant range bounds"), subscripting flexible array member fails: http://www.iu-bloomington.com/category/health/ struct no_size { https://waytowhatsnext.com/category/health/ int n; int items[]; }; http://www.wearelondonmade.com/category/health/ (gdb) p *ns $1 = {n = 3, items = 0x5555555592a4} (gdb) p ns->items[0] http://www.jopspeech.com/category/health/ Cannot access memory at address 0xfffe555b733a0164 (gdb) p *((int *) 0x5555555592a4) $2 = 101 <--- we would expect that http://joerg.li/category/health/ (gdb) p &ns->items[0] $3 = (int *) 0xfffe5559ee829a24 <--- wrong address http://connstr.net/category/health/ Since the flexible array member (items) has an unspecified size, the array type created for it in the DWARF doesn't have dimensions (this is with gcc 9.3.0, http://embermanchester.uk/category/health/ Ubuntu 20.04): http://www.slipstone.co.uk/category/health/ 0x000000a4: DW_TAG_array_type DW_AT_type [DW_FORM_ref4] (0x00000038 "int") DW_AT_sibling [DW_FORM_ref4] (0x000000b3) http://www.logoarts.co.uk/category/health/ 0x000000ad: DW_TAG_subrange_type DW_AT_type [DW_FORM_ref4] (0x00000031 "long unsigned int") http://www.acpirateradio.co.uk/category/health/ This causes GDB to create a range type (TYPE_CODE_RANGE) with a defined constant low bound (dynamic _prop with kind PROP_CONST) and an undefined high bound (dynamic_prop with kind PROP_UNDEFINED). http://www.compilatori.com/category/health/ value_subscript gets both bounds of that range using get_discrete_bounds. Before commit 7c6f27129631, get_discrete_bounds didn't check the kind of the dynamic_props and would just blindly read them as if they were PROP_CONST. https://www.webb-dev.co.uk/category/health/ It would return 0 for the high bound, because we zero-initialize the range_bounds structure. And it didn't really matter in this case, because the returned high bound wasn't used in the end. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.