Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 783459

Summary: app-misc/pax-utils-1.3[seccomp]: seccomp allowlist don't contain writev which is used by musl
Product: Gentoo Linux Reporter: 12101111 <w12101111>
Component: Current packagesAssignee: SpanKY <vapier>
Status: RESOLVED FIXED    
Severity: normal CC: sam, toolchain
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description 12101111 2021-04-17 17:49:06 UTC
On musl:

> strace -k scanelf
execve("/usr/bin/scanelf", ["scanelf"], 0x7fff2b47f5e8 /* 104 vars */) = 0
 > /usr/lib/libc.so(_dlstart+0x0) [0xbb430]
 > no matching address range
arch_prctl(ARCH_SET_FS, 0x7fecfadf9c48) = 0
 > /usr/lib/libc.so(__set_thread_area+0xf) [0xb5f27]
 > /usr/lib/libc.so(__init_tp+0xb) [0x5918b]
 > /usr/lib/libc.so(__dls2b+0x71) [0xbc951]
 > /usr/lib/libc.so(__dls2+0x1e1) [0xbbda1]
 > /usr/lib/libc.so(_dlstart+0x15) [0xbb445]
 > no matching address range
set_tid_address(0x7fecfadf76a8)         = 1929
 > /usr/lib/libc.so(__init_tp+0x2e) [0x591ae]
 > /usr/lib/libc.so(__dls2b+0x71) [0xbc951]
 > /usr/lib/libc.so(__dls2+0x1e1) [0xbbda1]
 > /usr/lib/libc.so(_dlstart+0x15) [0xbb445]
 > no matching address range
brk(NULL)                               = 0x560979a41000
 > /usr/lib/libc.so(__malloc_alloc_meta+0x136) [0x657f6]
 > /usr/lib/libc.so(__malloc_donate+0x80) [0x64f40]
 > /usr/lib/libc.so(reclaim_gaps+0x74) [0xbdef4]
 > /usr/lib/libc.so(__dls3+0x7a9) [0xbd149]
 > /usr/lib/libc.so(__dls2+0x1e1) [0xbbda1]
 > /usr/lib/libc.so(_dlstart+0x15) [0xbb445]
 > no matching address range
brk(0x560979a43000)                     = 0x560979a43000
 > /usr/lib/libc.so(__malloc_alloc_meta+0x161) [0x65821]
 > /usr/lib/libc.so(__malloc_donate+0x80) [0x64f40]
 > /usr/lib/libc.so(reclaim_gaps+0x74) [0xbdef4]
 > /usr/lib/libc.so(__dls3+0x7a9) [0xbd149]
 > /usr/lib/libc.so(__dls2+0x1e1) [0xbbda1]
 > /usr/lib/libc.so(_dlstart+0x15) [0xbb445]
 > no matching address range
mmap(0x560979a41000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x560979a41000
 > /usr/lib/libc.so(mmap+0x94) [0x7d514]
 > /usr/lib/libc.so(__malloc_alloc_meta+0x187) [0x65847]
 > /usr/lib/libc.so(__malloc_donate+0x80) [0x64f40]
 > /usr/lib/libc.so(reclaim_gaps+0x74) [0xbdef4]
 > /usr/lib/libc.so(__dls3+0x7a9) [0xbd149]
 > /usr/lib/libc.so(__dls2+0x1e1) [0xbbda1]
 > /usr/lib/libc.so(_dlstart+0x15) [0xbb445]
 > no matching address range
mprotect(0x7fecfadf5000, 8192, PROT_READ) = 0
 > /usr/lib/libc.so(mprotect+0x25) [0x7d585]
 > /usr/lib/libc.so(reloc_all+0x191) [0xbc3f1]
 > /usr/lib/libc.so(__dls3+0xb2d) [0xbd4cd]
 > /usr/lib/libc.so(__dls2+0x1e1) [0xbbda1]
 > /usr/lib/libc.so(_dlstart+0x15) [0xbb445]
 > no matching address range
mprotect(0x560978885000, 12288, PROT_READ) = 0
 > /usr/lib/libc.so(mprotect+0x25) [0x7d585]
 > /usr/lib/libc.so(reloc_all+0x191) [0xbc3f1]
 > /usr/lib/libc.so(__dls3+0xb35) [0xbd4d5]
 > /usr/lib/libc.so(__dls2+0x1e1) [0xbbda1]
 > /usr/lib/libc.so(_dlstart+0x15) [0xbb445]
 > no matching address range
prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0)  = 0
 > /usr/lib/libc.so(prctl+0x147) [0x5f0a7]
 > /usr/bin/scanelf(security_init+0x1a) [0xa72a]
 > /usr/bin/scanelf(main+0x11) [0xab71]
 > /usr/lib/libc.so(libc_start_main_stage2+0x28) [0x59588]
 > /usr/bin/scanelf(_start+0x15) [0x8ed5]
 > no matching address range
prctl(PR_SET_SECUREBITS, SECBIT_NOROOT|SECBIT_NOROOT_LOCKED|SECBIT_NO_SETUID_FIXUP|SECBIT_NO_SETUID_FIXUP_LOCKED|SECBIT_KEEP_CAPS_LOCKED) = -1 EPERM (Operation not permitted)
 > /usr/lib/libc.so(prctl+0x147) [0x5f0a7]
 > /usr/bin/scanelf(security_init+0x32) [0xa742]
 > /usr/bin/scanelf(main+0x11) [0xab71]
 > /usr/lib/libc.so(libc_start_main_stage2+0x28) [0x59588]
 > /usr/bin/scanelf(_start+0x15) [0x8ed5]
 > no matching address range
unshare(CLONE_NEWUTS|CLONE_NEWIPC)      = -1 EPERM (Operation not permitted)
 > /usr/lib/libc.so(unshare+0xa) [0x5f6ca]
 > /usr/bin/scanelf(ns_unshare+0x9) [0xa6c9]
 > /usr/bin/scanelf(security_init+0x47) [0xa757]
 > /usr/bin/scanelf(main+0x11) [0xab71]
 > /usr/lib/libc.so(libc_start_main_stage2+0x28) [0x59588]
 > /usr/bin/scanelf(_start+0x15) [0x8ed5]
 > no matching address range
prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, {len=53, filter=0x560978876d90}) = 0
 > /usr/lib/libc.so(prctl+0x147) [0x5f0a7]
 > /usr/bin/scanelf(security_init+0x6c) [0xa77c]
 > /usr/bin/scanelf(main+0x11) [0xab71]
 > /usr/lib/libc.so(libc_start_main_stage2+0x28) [0x59588]
 > /usr/bin/scanelf(_start+0x15) [0x8ed5]
 > no matching address range
ioctl(1, TIOCGWINSZ, {ws_row=25, ws_col=119, ws_xpixel=952, ws_ypixel=500}) = 0
 > /usr/lib/libc.so(__stdout_write+0x2d) [0x9f6cd]
 > /usr/lib/libc.so(__fwritex+0xbb) [0xa1bdb]
 > /usr/lib/libc.so(printf_core+0x258) [0xa42d8]
 > /usr/lib/libc.so(vfprintf+0x114) [0xa3fd4]
 > /usr/lib/libc.so(printf+0x9c) [0xa2fbc]
 > /usr/bin/scanelf(usage+0x4b) [0xabfb]
 > /usr/bin/scanelf(main+0x49) [0xaba9]
 > /usr/lib/libc.so(libc_start_main_stage2+0x28) [0x59588]
 > /usr/bin/scanelf(_start+0x15) [0x8ed5]
 > no matching address range
writev(1, [{iov_base="", iov_len=0}, {iov_base="* Scan ELF binaries for stuff\n\n", iov_len=31}], 2) = ?
+++ killed by SIGSYS (core dumped) +++
zsh: invalid system call  strace -k scanelf

musl implement printf using writev, which is blcok by seccomp.

This break estrip of portage.

Reproducible: Always
Comment 1 Sergei Trofimovich (RETIRED) gentoo-dev 2021-04-18 09:07:27 UTC
Do you want to write a patch? I'll apply it with 'git am' and push a release out.

New syscall could be added at around https://gitweb.gentoo.org/proj/pax-utils.git/tree/seccomp-bpf.c#n107
Comment 2 Larry the Git Cow gentoo-dev 2021-04-18 18:29:49 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/proj/pax-utils.git/commit/?id=9a5ca4976b17d1ef8210ca6323020d5050b4d374

commit 9a5ca4976b17d1ef8210ca6323020d5050b4d374
Author:     Mike Frysinger <vapier@gentoo.org>
AuthorDate: 2021-04-18 18:28:17 +0000
Commit:     Mike Frysinger <vapier@gentoo.org>
CommitDate: 2021-04-18 18:28:17 +0000

    security: restore syscalls accidentally dropped
    
    The original precompile work was done against an old version of
    pax-utils and I forgot to resync the list before finalizing.
    Restore all the syscalls that were in here before.
    
    Bug: https://bugs.gentoo.org/783459
    Signed-off-by: Mike Frysinger <vapier@gentoo.org>

 seccomp-bpf.c | 13 ++++++++++
 seccomp-bpf.h | 76 +++++++++++++++++++++++++++++------------------------------
 2 files changed, 51 insertions(+), 38 deletions(-)
Comment 3 Larry the Git Cow gentoo-dev 2021-04-18 18:34:30 UTC
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2fb10c0f8f71e70e590880ea3bac9009418e5eb5

commit 2fb10c0f8f71e70e590880ea3bac9009418e5eb5
Author:     Mike Frysinger <vapier@gentoo.org>
AuthorDate: 2021-04-18 18:32:29 +0000
Commit:     Mike Frysinger <vapier@gentoo.org>
CommitDate: 2021-04-18 18:33:35 +0000

    app-misc/pax-utils: restore missing seccomp syscalls
    
    Closes: https://bugs.gentoo.org/783459
    Signed-off-by: Mike Frysinger <vapier@gentoo.org>

 app-misc/pax-utils/Manifest                                         | 2 +-
 app-misc/pax-utils/{pax-utils-1.3.ebuild => pax-utils-1.3.1.ebuild} | 5 +++--
 2 files changed, 4 insertions(+), 3 deletions(-)
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2021-04-18 20:05:43 UTC
> >>> Downloading 'https://dev.gentoo.org/~vapier/distfiles/pax-utils-1.3.1.tar.xz'
> --2021-04-18 22:03:38--  https://dev.gentoo.org/~vapier/distfiles/pax-utils-1.3.1.tar.xz
> Resolving dev.gentoo.org (dev.gentoo.org)... 2001:470:ea4a:1:5054:ff:fec7:86e4, 140.211.166.183
> Connecting to dev.gentoo.org (dev.gentoo.org)|2001:470:ea4a:1:5054:ff:fec7:86e4|:443... connected.
> HTTP request sent, awaiting response... 404 Not Found
> 2021-04-18 22:03:38 ERROR 404: Not Found.
>