| Summary: | net-misc/openssh: sys-devel/glibc-2.31-r6 breaks logins on i386 due to syscall blocked by sandbox-seccomp-filter | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | Huemi <gentoobugs> |
| Component: | Current packages | Assignee: | Gentoo's Team for Core System packages <base-system> |
| Status: | RESOLVED FIXED | ||
| Severity: | major | CC: | alexander, sam, toolchain |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | x86 | ||
| OS: | Linux | ||
| See Also: |
https://bugs.gentoo.org/show_bug.cgi?id=708224 https://bugs.gentoo.org/show_bug.cgi?id=737998 |
||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
|
Description
Huemi
2020-08-17 08:56:34 UTC
Recompiling openssh after merging glibc-2.31-r6 (and rebooting) without this manual modification and restarting it didn't help on x86 architecture, so this workaround you find somewhere might only work on amd64, but x86 seems to be using another system call which is missing in the current patchset. (In reply to Huemi from comment #0) > Somebody would have to convert 407 to a _NR_... statement to find out what > really happens, but adding SC_ALLOW(407) works to make ssh login working > again. /usr/include/asm/unistd_32.h:#define __NR_clock_nanosleep_time64 407 And AFAIS, it is enabled by openssh patchset. What version of linux-headers is installed on your systemd? (Or better post emerge --info output) Linux headers 4.19 (installed at the beginning of 2020) doesn't seem to include this call. As I use a 4.19.x series kernel I didn't want to upgrade to 5.4-r1 as it wouldn't match the kernel ... cat /usr/include/asm/unistd_32.h | grep __NR_clock_nanosleep #define __NR_clock_nanosleep 267 --- As the openssh patchset only includes: #ifdef __NR_clock_nanosleep SC_ALLOW(__NR_clock_nanosleep), #endif #ifdef __NR_clock_nanosleep_time64 SC_ALLOW(__NR_clock_nanosleep_time64), #endif The SC_ALLOW will probably be never compiled because __NR_clock_nanosleep_time64 is not defined. So maybe it should be allowed unconditionally to workaround - but if it isn't defined you would have to add 407 statically ... --- sys-kernel/linux-headers: 4.19::gentoo (virtual/os-headers) sys-libs/glibc: 2.31-r6::gentoo CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=i686 -pipe" CHOST="i686-pc-linux-gnu" CXXFLAGS="-O2 -march=i686 -pipe" Should not be "doesn't contain this call" but "doesn't contain this define statement". (In reply to Huemi from comment #3) > Linux headers 4.19 (installed at the beginning of 2020) doesn't seem to > include this call. As I use a 4.19.x series kernel I didn't want to upgrade > to 5.4-r1 as it wouldn't match the kernel ... As was discussed multiple times at multiple places (including this BZ), having newer linux-headers is a perfectly supported configuration. (In reply to Huemi from comment #3) > So maybe it should be allowed unconditionally to workaround - but if it > isn't defined you would have to add 407 statically ... Yeah, I think gentoo should apply patch for openssh that hardcodes these syscall numbers... until old versions of linux-headers are dropped. The only problem is that some arches may have different syscall numbers, but I'm not sure if this is possible. (In reply to Alexander Tsoy from comment #5) > The only problem is that some arches may have different syscall numbers, > but I'm not sure if this is possible. I just checked syscalls added by openssh patchset. It seems like "clock_gettime64" and "clock_nanosleep_time64" have identical numbers on different arches (403 and 407). But since these syscalls only available on 32-bit arches, the patch would be slightly complicated (a lot of "if defined"/"elif defined"). "ipc" and "clock_nanosleep" syscalls have different numbers on different arches, but these syscalls are probably defined by the linux headers for a very long time, so no need to add them. The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a3ddee3a0c95e932481d494930a05f6f34938c1e commit a3ddee3a0c95e932481d494930a05f6f34938c1e Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2020-08-17 14:29:28 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2020-08-17 14:32:33 +0000 net-misc/openssh: depend on >=sys-kernel/linux-headers-5.1 In >=sys-libs/glibc-2.31 we are already forcing an upgrade of net-misc/openssh. However, sandbox code in OpenSSH [Link 1] is guarded by "#ifdef" so an upgrade of OpenSSH before glibc upgrade won't fix the problem if system is using old linux-headers without __NR_clock_nanosleep{,_time64}. Forcing >=linux-headers-5.1 will ensure that OpenSSH's sandbox supports __NR_clock_nanosleep{,_time64} and will therefore work with >=glibc-2.31. Link 1: https://github.com/openssh/openssh-portable/blob/V_8_3/sandbox-seccomp-filter.c#L252-L257 Bug: https://bugs.gentoo.org/708224 Closes: https://bugs.gentoo.org/737604 Package-Manager: Portage-3.0.2, Repoman-2.3.23 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> .../openssh/{openssh-8.1_p1-r3.ebuild => openssh-8.1_p1-r4.ebuild} | 3 ++- .../openssh/{openssh-8.2_p1-r6.ebuild => openssh-8.2_p1-r7.ebuild} | 3 ++- .../openssh/{openssh-8.3_p1-r4.ebuild => openssh-8.3_p1-r5.ebuild} | 3 ++- 3 files changed, 6 insertions(+), 3 deletions(-) |
