bugzilla-daemon at mindrot.org
2021-Feb-10 13:05 UTC
[Bug 3260] New: seccomp additions for glibc 2.33 on 32-bit platforms
https://bugzilla.mindrot.org/show_bug.cgi?id=3260
Bug ID: 3260
Summary: seccomp additions for glibc 2.33 on 32-bit platforms
Product: Portable OpenSSH
Version: 8.4p1
Hardware: ix86
OS: Linux
Status: NEW
Severity: major
Priority: P5
Component: sshd
Assignee: unassigned-bugs at mindrot.org
Reporter: nix at esperi.org.uk
Created attachment 3470
--> https://bugzilla.mindrot.org/attachment.cgi?id=3470&action=edit
seccomp additions for glibc 2.33
glibc 2.33+ on these platforms, when used in conjunction with newer
Linux kernels, needs various new syscalls in the seccomp whitelist
(they've been added to allow for post-2038 time).
Patch against 8.4p1 attached.
Ranked major because it builds fine but then fails at connection-accept
time, which can lead to service loss and annoying trips to get a
console (thankfully I only had to make a trip across the room to plug
the serial console in).
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2021-Feb-10 15:42 UTC
[Bug 3260] seccomp additions for glibc 2.33 on 32-bit platforms
https://bugzilla.mindrot.org/show_bug.cgi?id=3260
Jakub Jelen <jjelen at redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |jjelen at redhat.com
--- Comment #1 from Jakub Jelen <jjelen at redhat.com> ---
Comment on attachment 3470
--> https://bugzilla.mindrot.org/attachment.cgi?id=3470
seccomp additions for glibc 2.33
The __NR_pselect6_time64 is already in as reported in the bug #3232 and
merged upstream as [1]. The __NR_futex_time64 has wrong ifdef at this
moment and should say:
+#ifdef __NR_futex_time64
+ SC_ALLOW(__NR_futex_time64),
+#endif
[1] https://github.com/openssh/openssh-portable/commit/0f90440ca
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2021-Feb-10 18:59 UTC
[Bug 3260] seccomp additions for glibc 2.33 on 32-bit platforms
https://bugzilla.mindrot.org/show_bug.cgi?id=3260
Nick Alcock <nix at esperi.org.uk> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #3470|0 |1
is obsolete| |
--- Comment #2 from Nick Alcock <nix at esperi.org.uk> ---
Created attachment 3471
--> https://bugzilla.mindrot.org/attachment.cgi?id=3471&action=edit
remaining seccomp addition for glibc 2.33
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2021-Feb-10 19:00 UTC
[Bug 3260] seccomp additions for glibc 2.33 on 32-bit platforms
https://bugzilla.mindrot.org/show_bug.cgi?id=3260 --- Comment #3 from Nick Alcock <nix at esperi.org.uk> --- Sorry, I forgot to check master with the obviously wrong reasoning that portable-openssh changes wouldn't go in there (even though I already know they do, routinely). Fixed patch against master attached. -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2021-Feb-10 23:22 UTC
[Bug 3260] seccomp additions for glibc 2.33 on 32-bit platforms
https://bugzilla.mindrot.org/show_bug.cgi?id=3260
Darren Tucker <dtucker at dtucker.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks| |3217
Status|NEW |RESOLVED
Resolution|--- |FIXED
CC| |dtucker at dtucker.net
--- Comment #4 from Darren Tucker <dtucker at dtucker.net> ---
Patch applied, thanks.
Can you specify which platforms this occurs on? I think it should be
caught by the regression tests when run with sudo/doas ("make tests
SUDO=sudo") and I'd like to see if we can improve our test coverage.
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=3217
[Bug 3217] Tracking bug for 8.5 release
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2021-Feb-11 14:07 UTC
[Bug 3260] seccomp additions for glibc 2.33 on 32-bit platforms
https://bugzilla.mindrot.org/show_bug.cgi?id=3260 --- Comment #5 from Nick Alcock <nix at esperi.org.uk> --- It'll happen on any glibc-using Linux platform with a 32-bit glibc 2.33+ and a sufficiently recent kernel, though "sufficiently recent" is architecture-dependent: on kernel 5.1+, all 32-bit architectures with this glibc release will use these syscalls. (See sysdeps/unix/sysv/linux/kernel-features.h in the glibc 2.33 source tree.) -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2021-Mar-03 22:52 UTC
[Bug 3260] seccomp additions for glibc 2.33 on 32-bit platforms
https://bugzilla.mindrot.org/show_bug.cgi?id=3260
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |CLOSED
--- Comment #6 from Damien Miller <djm at mindrot.org> ---
close bugs that were resolved in OpenSSH 8.5 release cycle
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.