bugzilla-daemon at mindrot.org
2021-Feb-10 13:05 UTC
[Bug 3260] New: seccomp additions for glibc 2.33 on 32-bit platforms
https://bugzilla.mindrot.org/show_bug.cgi?id=3260 Bug ID: 3260 Summary: seccomp additions for glibc 2.33 on 32-bit platforms Product: Portable OpenSSH Version: 8.4p1 Hardware: ix86 OS: Linux Status: NEW Severity: major Priority: P5 Component: sshd Assignee: unassigned-bugs at mindrot.org Reporter: nix at esperi.org.uk Created attachment 3470 --> https://bugzilla.mindrot.org/attachment.cgi?id=3470&action=edit seccomp additions for glibc 2.33 glibc 2.33+ on these platforms, when used in conjunction with newer Linux kernels, needs various new syscalls in the seccomp whitelist (they've been added to allow for post-2038 time). Patch against 8.4p1 attached. Ranked major because it builds fine but then fails at connection-accept time, which can lead to service loss and annoying trips to get a console (thankfully I only had to make a trip across the room to plug the serial console in). -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2021-Feb-10 15:42 UTC
[Bug 3260] seccomp additions for glibc 2.33 on 32-bit platforms
https://bugzilla.mindrot.org/show_bug.cgi?id=3260 Jakub Jelen <jjelen at redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jjelen at redhat.com --- Comment #1 from Jakub Jelen <jjelen at redhat.com> --- Comment on attachment 3470 --> https://bugzilla.mindrot.org/attachment.cgi?id=3470 seccomp additions for glibc 2.33 The __NR_pselect6_time64 is already in as reported in the bug #3232 and merged upstream as [1]. The __NR_futex_time64 has wrong ifdef at this moment and should say: +#ifdef __NR_futex_time64 + SC_ALLOW(__NR_futex_time64), +#endif [1] https://github.com/openssh/openssh-portable/commit/0f90440ca -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2021-Feb-10 18:59 UTC
[Bug 3260] seccomp additions for glibc 2.33 on 32-bit platforms
https://bugzilla.mindrot.org/show_bug.cgi?id=3260 Nick Alcock <nix at esperi.org.uk> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #3470|0 |1 is obsolete| | --- Comment #2 from Nick Alcock <nix at esperi.org.uk> --- Created attachment 3471 --> https://bugzilla.mindrot.org/attachment.cgi?id=3471&action=edit remaining seccomp addition for glibc 2.33 -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2021-Feb-10 19:00 UTC
[Bug 3260] seccomp additions for glibc 2.33 on 32-bit platforms
https://bugzilla.mindrot.org/show_bug.cgi?id=3260 --- Comment #3 from Nick Alcock <nix at esperi.org.uk> --- Sorry, I forgot to check master with the obviously wrong reasoning that portable-openssh changes wouldn't go in there (even though I already know they do, routinely). Fixed patch against master attached. -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2021-Feb-10 23:22 UTC
[Bug 3260] seccomp additions for glibc 2.33 on 32-bit platforms
https://bugzilla.mindrot.org/show_bug.cgi?id=3260 Darren Tucker <dtucker at dtucker.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |3217 Status|NEW |RESOLVED Resolution|--- |FIXED CC| |dtucker at dtucker.net --- Comment #4 from Darren Tucker <dtucker at dtucker.net> --- Patch applied, thanks. Can you specify which platforms this occurs on? I think it should be caught by the regression tests when run with sudo/doas ("make tests SUDO=sudo") and I'd like to see if we can improve our test coverage. Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=3217 [Bug 3217] Tracking bug for 8.5 release -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2021-Feb-11 14:07 UTC
[Bug 3260] seccomp additions for glibc 2.33 on 32-bit platforms
https://bugzilla.mindrot.org/show_bug.cgi?id=3260 --- Comment #5 from Nick Alcock <nix at esperi.org.uk> --- It'll happen on any glibc-using Linux platform with a 32-bit glibc 2.33+ and a sufficiently recent kernel, though "sufficiently recent" is architecture-dependent: on kernel 5.1+, all 32-bit architectures with this glibc release will use these syscalls. (See sysdeps/unix/sysv/linux/kernel-features.h in the glibc 2.33 source tree.) -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2021-Mar-03 22:52 UTC
[Bug 3260] seccomp additions for glibc 2.33 on 32-bit platforms
https://bugzilla.mindrot.org/show_bug.cgi?id=3260 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #6 from Damien Miller <djm at mindrot.org> --- close bugs that were resolved in OpenSSH 8.5 release cycle -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.