Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 553748

Summary: >=net-misc/openssh-6.7_p1: connection refused on x32 (regression) when using seccomp sandbox
Product: Gentoo Linux Reporter: Kyle Sanderson <kyle.leet>
Component: [OLD] ServerAssignee: Gentoo's Team for Core System packages <base-system>
Status: RESOLVED FIXED    
Severity: critical CC: bugs, srcshelton
Priority: Normal    
Version: unspecified   
Hardware: AMD64   
OS: Linux   
URL: https://bugzilla.mindrot.org/show_bug.cgi?id=2142
See Also: https://bugs.gentoo.org/show_bug.cgi?id=459672
https://bugzilla.mindrot.org/show_bug.cgi?id=2142
Whiteboard:
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 393673    

Description Kyle Sanderson 2015-07-01 21:11:15 UTC 
openssh builds no problem on x32, however on 6.7 onwards there's a silent failure that results in dropping all incoming connections. I did a pretty significant package upgrade yesterday (roughly a year out of date), with the result of being locked out of the system. I've build dropbear with -m64 so it builds, however 6.6 should be restored...

Please restore an ebuild from 6.6.

Afflicted:
net-misc/openssh-6.7_p1
net-misc/openssh-6.8_p1-r5

This is pretty serious for remote users; I'm lucky as I have IPMI access to the box.

Reproducible: Always
Comment 1 Kyle Sanderson 2015-07-01 21:38:38 UTC 
Confirming building with -m64 results in a functional openssh with net-misc/openssh-6.8_p1-r5, this is super dangerous.
Comment 2 SpanKY gentoo-dev 2015-07-08 10:06:05 UTC 
try emerging with EXTRA_ECONF=--with-sandbox=no.  that will tell us whether the new seccomp code is causing a problem.
Comment 3 Tiago Marques 2015-08-01 12:29:23 UTC 
(In reply to SpanKY from comment #2)
> try emerging with EXTRA_ECONF=--with-sandbox=no.  that will tell us whether
> the new seccomp code is causing a problem.

Tried this to no avail. I'm having the exact same issue though I have another system with up to date OpenSSL and OpenSSH that does not have the same problem. On the machine I do have the issue, I can have it run on a stage3 x32 sshd (6.6) but not with the same x32 binary I have running ok elsewhere - just closes the connection.
Comment 4 Tiago Marques 2015-08-01 13:32:56 UTC 
After compiling with "debug" flag, log shows:

[sshd] fatal: ssh_sandbox_violation: unexpected system call (arch:0xc000003e,syscall:228 @ 0xff9ff6da) [preauth]

So I checked and I typed EXTRA_CONF instead of the correct variable and recompiled again with sandbox disabled and it works now.
Comment 5 SpanKY gentoo-dev 2015-08-04 02:34:58 UTC 
*** Bug 556476 has been marked as a duplicate of this bug. ***
Comment 6 Stuart Shelton 2015-08-04 19:06:27 UTC 
As per Bug 556476, using `EXTRA_ECONF=--with-sandbox=rlimit` would be more secure, or there's an as-yet-unaccepted patch (albeit one which looks reasonable to an untrained eye) which adds libseccomp support, and which appears to work.
Comment 7 SpanKY gentoo-dev 2015-08-05 08:21:25 UTC 
Commit message: Use the rlimit sandbox for x32 ABI until the seccomp one is fixed
http://sources.gentoo.org/net-misc/openssh/openssh-6.9_p1-r2.ebuild?r1=1.11&r2=1.12
Comment 8 SpanKY gentoo-dev 2015-08-05 08:22:10 UTC 
(In reply to Stuart Shelton from comment #6)

i've added that to the latest ebuild, but i'll leave this bug open until we can enable seccomp again for x32
Comment 9 SpanKY gentoo-dev 2017-03-20 19:01:34 UTC 
seccomp sandbox seems to work w/openssh-7.5_p1 under x32