553748 – >=net-misc/openssh-6.7_p1: connection refused on x32 (regression) when using seccomp sandbox

Bug 553748 - >=net-misc/openssh-6.7_p1: connection refused on x32 (regression) when using seccomp sandbox

Summary: >=net-misc/openssh-6.7_p1: connection refused on x32 (regression) when using ...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	[OLD] Server (show other bugs)
Hardware:	AMD64 Linux

Importance:	Normal critical with 1 vote (vote)
Assignee:	Gentoo's Team for Core System packages

URL:	https://bugzilla.mindrot.org/show_bug...
Whiteboard:
Keywords:

Duplicates (1):	556476 (view as bug list)
Depends on:
Blocks:	x32
	Show dependency tree

Reported:	2015-07-01 21:11 UTC by Kyle Sanderson
Modified:	2017-03-20 19:01 UTC (History)
CC List:	2 users (show)

See Also:	459672 https://bugzilla.mindrot.org/show_bug.cgi?id=2142
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Kyle Sanderson 2015-07-01 21:11:15 UTC

openssh builds no problem on x32, however on 6.7 onwards there's a silent failure that results in dropping all incoming connections. I did a pretty significant package upgrade yesterday (roughly a year out of date), with the result of being locked out of the system. I've build dropbear with -m64 so it builds, however 6.6 should be restored...

Please restore an ebuild from 6.6.

Afflicted:
net-misc/openssh-6.7_p1
net-misc/openssh-6.8_p1-r5

This is pretty serious for remote users; I'm lucky as I have IPMI access to the box.

Reproducible: Always

Comment 1 Kyle Sanderson 2015-07-01 21:38:38 UTC

Confirming building with -m64 results in a functional openssh with net-misc/openssh-6.8_p1-r5, this is super dangerous.

Comment 2 SpanKY gentoo-dev

2015-07-08 10:06:05 UTC

try emerging with EXTRA_ECONF=--with-sandbox=no.  that will tell us whether the new seccomp code is causing a problem.

Comment 3 Tiago Marques 2015-08-01 12:29:23 UTC

(In reply to SpanKY from comment #2)
> try emerging with EXTRA_ECONF=--with-sandbox=no.  that will tell us whether
> the new seccomp code is causing a problem.

Tried this to no avail. I'm having the exact same issue though I have another system with up to date OpenSSL and OpenSSH that does not have the same problem. On the machine I do have the issue, I can have it run on a stage3 x32 sshd (6.6) but not with the same x32 binary I have running ok elsewhere - just closes the connection.

Comment 4 Tiago Marques 2015-08-01 13:32:56 UTC

After compiling with "debug" flag, log shows:

[sshd] fatal: ssh_sandbox_violation: unexpected system call (arch:0xc000003e,syscall:228 @ 0xff9ff6da) [preauth]

So I checked and I typed EXTRA_CONF instead of the correct variable and recompiled again with sandbox disabled and it works now.

Comment 5 SpanKY gentoo-dev

2015-08-04 02:34:58 UTC

*** Bug 556476 has been marked as a duplicate of this bug. ***

Comment 6 Stuart Shelton 2015-08-04 19:06:27 UTC

As per Bug 556476, using `EXTRA_ECONF=--with-sandbox=rlimit` would be more secure, or there's an as-yet-unaccepted patch (albeit one which looks reasonable to an untrained eye) which adds libseccomp support, and which appears to work.

Comment 7 SpanKY gentoo-dev

2015-08-05 08:21:25 UTC

Commit message: Use the rlimit sandbox for x32 ABI until the seccomp one is fixed
http://sources.gentoo.org/net-misc/openssh/openssh-6.9_p1-r2.ebuild?r1=1.11&r2=1.12

Comment 8 SpanKY gentoo-dev

2015-08-05 08:22:10 UTC

(In reply to Stuart Shelton from comment #6)

i've added that to the latest ebuild, but i'll leave this bug open until we can enable seccomp again for x32

Comment 9 SpanKY gentoo-dev

2017-03-20 19:01:34 UTC

seccomp sandbox seems to work w/openssh-7.5_p1 under x32