Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 553748 - >=net-misc/openssh-6.7_p1: connection refused on x32 (regression) when using seccomp sandbox
Summary: >=net-misc/openssh-6.7_p1: connection refused on x32 (regression) when using ...
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] Server (show other bugs)
Hardware: AMD64 Linux
: Normal critical with 1 vote (vote)
Assignee: Gentoo's Team for Core System packages
: 556476 (view as bug list)
Depends on:
Blocks: x32
  Show dependency tree
Reported: 2015-07-01 21:11 UTC by Kyle Sanderson
Modified: 2017-03-20 19:01 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Kyle Sanderson 2015-07-01 21:11:15 UTC
openssh builds no problem on x32, however on 6.7 onwards there's a silent failure that results in dropping all incoming connections. I did a pretty significant package upgrade yesterday (roughly a year out of date), with the result of being locked out of the system. I've build dropbear with -m64 so it builds, however 6.6 should be restored...

Please restore an ebuild from 6.6.


This is pretty serious for remote users; I'm lucky as I have IPMI access to the box.

Reproducible: Always
Comment 1 Kyle Sanderson 2015-07-01 21:38:38 UTC
Confirming building with -m64 results in a functional openssh with net-misc/openssh-6.8_p1-r5, this is super dangerous.
Comment 2 SpanKY gentoo-dev 2015-07-08 10:06:05 UTC
try emerging with EXTRA_ECONF=--with-sandbox=no.  that will tell us whether the new seccomp code is causing a problem.
Comment 3 Tiago Marques 2015-08-01 12:29:23 UTC
(In reply to SpanKY from comment #2)
> try emerging with EXTRA_ECONF=--with-sandbox=no.  that will tell us whether
> the new seccomp code is causing a problem.

Tried this to no avail. I'm having the exact same issue though I have another system with up to date OpenSSL and OpenSSH that does not have the same problem. On the machine I do have the issue, I can have it run on a stage3 x32 sshd (6.6) but not with the same x32 binary I have running ok elsewhere - just closes the connection.
Comment 4 Tiago Marques 2015-08-01 13:32:56 UTC
After compiling with "debug" flag, log shows:

[sshd] fatal: ssh_sandbox_violation: unexpected system call (arch:0xc000003e,syscall:228 @ 0xff9ff6da) [preauth]

So I checked and I typed EXTRA_CONF instead of the correct variable and recompiled again with sandbox disabled and it works now.
Comment 5 SpanKY gentoo-dev 2015-08-04 02:34:58 UTC
*** Bug 556476 has been marked as a duplicate of this bug. ***
Comment 6 Stuart Shelton 2015-08-04 19:06:27 UTC
As per Bug 556476, using `EXTRA_ECONF=--with-sandbox=rlimit` would be more secure, or there's an as-yet-unaccepted patch (albeit one which looks reasonable to an untrained eye) which adds libseccomp support, and which appears to work.
Comment 7 SpanKY gentoo-dev 2015-08-05 08:21:25 UTC
Commit message: Use the rlimit sandbox for x32 ABI until the seccomp one is fixed
Comment 8 SpanKY gentoo-dev 2015-08-05 08:22:10 UTC
(In reply to Stuart Shelton from comment #6)

i've added that to the latest ebuild, but i'll leave this bug open until we can enable seccomp again for x32
Comment 9 SpanKY gentoo-dev 2017-03-20 19:01:34 UTC
seccomp sandbox seems to work w/openssh-7.5_p1 under x32