Originally reported by chutzpah on #gentoo-toolchain as a estrip failure against glibc-2.31. TO reproduce: $ FEATURES=fakeroot emerge -v1 openssh ... .../estrip: line 38: 242399 Bad system call scanelf -yqRBF '#k%F' -k '.symtab' "${find_paths[@]}" """ $ gdb /usr/bin/scanelf /var/tmp/portage/net-misc/openssh-8.1_p1-r2/image/core GNU gdb (Gentoo 9.1 vanilla) 9.1 Copyright (C) 2020 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-pc-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: <https://bugs.gentoo.org/>. Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>. For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from /usr/bin/scanelf... Reading symbols from /usr/lib/debug//usr/bin/scanelf.debug... [New LWP 1203329] Core was generated by `scanelf -qyRF %a;%p;%S;%r;%n /var/tmp/portage/net-misc/openssh-8.1_p1-r2/image/'. Program terminated with signal SIGSYS, Bad system call. #0 __semtimedop (semid=163855, sops=sops@entry=0x7ffe0d27e2f2, nsops=nsops@entry=1, timeout=timeout@entry=0x0) at ../sysdeps/unix/sysv/linux/semtimedop.c:33 33 ../sysdeps/unix/sysv/linux/semtimedop.c: No such file or directory. (gdb) bt #0 __semtimedop (semid=163855, sops=sops@entry=0x7ffe0d27e2f2, nsops=nsops@entry=1, timeout=timeout@entry=0x0) at ../sysdeps/unix/sysv/linux/semtimedop.c:33 #1 0x00007f54c7ddaeef in semop (semid=<optimized out>, sops=sops@entry=0x7ffe0d27e2f2, nsops=nsops@entry=1) at ../sysdeps/unix/sysv/linux/semop.c:29 #2 0x00007f54c7f40bf9 in semaphore_up () at communicate.c:407 #3 0x00007f54c7f40d1f in send_get_fakem (buf=0x7ffe0d27e350) at communicate.c:548 #4 send_get_fakem (buf=0x7ffe0d27e350) at communicate.c:517 #5 0x00007f54c7f41158 in send_get_stat64 (st=st@entry=0x7ffe0d27e810) at communicate.c:849 #6 0x00007f54c7f3e802 in __fxstatat64 (ver=<optimized out>, dir_fd=<optimized out>, path=<optimized out>, st=0x7ffe0d27e810, flags=<optimized out>) at libfakeroot.c:763 #7 0x000055d533aa4aa7 in fstatat64 (__flag=256, __statbuf=0x7ffe0d27e810, __filename=<optimized out>, __fd=<optimized out>) at /usr/include/sys/stat.h:477 #8 scanelf_dirat (dir_fd=-100, path=0x7ffe0d280b86 "/var/tmp/portage/net-misc/openssh-8.1_p1-r2/image/") at scanelf.c:1691 #9 0x000055d533aa598a in parseargs (argc=<optimized out>, argv=<optimized out>) at scanelf.c:2258 #10 0x000055d533a9a565 in main (argc=4, argv=0x7ffe0d27fc68) at scanelf.c:2346 (gdb) """
The suspect is missing 'semtomedop' whitelist in https://gitweb.gentoo.org/proj/pax-utils.git/tree/security.c?id=519f07f7f3bdb29382a0f1491f6fce0a07bbc4fc#n164
The working workarounds so far: - FEATURES=-fakeroot - pax-utils[-seccomp] - whitelist semtimedop() in security.c of pax-utils glibc-2.3 switched semop() implementation from semop to semtimedop in https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=765cdd0bffd77960ae852104fc4ea5edcdb8aed3
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/proj/pax-utils.git/commit/?id=10d0713996478d544853f08b18c09d4b73d52d58 commit 10d0713996478d544853f08b18c09d4b73d52d58 Author: Sergei Trofimovich <slyfox@gentoo.org> AuthorDate: 2020-02-16 10:43:35 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2020-02-16 10:43:35 +0000 security.c: allow 'semtimedop' in seccomp sandbox (glibc-2.31) glibc-2.31 switched semop() libc implementation from semop() to semtimedop() in https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=765cdd0bffd77960a ("sysvipc: Implement semop based on semtimedop") This caused pax-utils to fail under fakeroot as: ``` $ fakeroot scanelf -yqRBF '#k%F' -k '.symtab' /bin/bash .../usr/bin/fakeroot: line 178: 103268 Bad system call ... Program terminated with signal SIGSYS, Bad system call. 33 ../sysdeps/unix/sysv/linux/semtimedop.c: No such file or directory. (gdb) bt (gdb) ``` The change whitelists 'semtimedop' syscall. Reported-by: Patrick McLean Bug: https://bugs.gentoo.org/709794 Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org> security.c | 1 + 1 file changed, 1 insertion(+)
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f1755640c7f30db4bc392ee72585f12a39f15da6 commit f1755640c7f30db4bc392ee72585f12a39f15da6 Author: Sergei Trofimovich <slyfox@gentoo.org> AuthorDate: 2020-02-16 13:04:31 +0000 Commit: Sergei Trofimovich <slyfox@gentoo.org> CommitDate: 2020-02-16 13:06:38 +0000 app-misc/pax-utils: bump up to 1.2.5, bug #709794 Two minor changes: - security.c: allow 'semtimedop' in seccomp sandbox (glibc-2.31) - dumpelf.c: add missing break when decoding SHT_GNU_LIBLIST Reported-by: Patrick McLean Closes: https://bugs.gentoo.org/709794 Package-Manager: Portage-2.3.89, Repoman-2.3.20 Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org> app-misc/pax-utils/Manifest | 1 + app-misc/pax-utils/pax-utils-1.2.5.ebuild | 72 +++++++++++++++++++++++++++++++ 2 files changed, 73 insertions(+)
