public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug libc/29118] New: 64 bit time and seccomp conflict
@ 2022-05-04 5:03 alacki93 at gmail dot com
2022-05-04 10:02 ` [Bug libc/29118] " fweimer at redhat dot com
0 siblings, 1 reply; 2+ messages in thread
From: alacki93 at gmail dot com @ 2022-05-04 5:03 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=29118
Bug ID: 29118
Summary: 64 bit time and seccomp conflict
Product: glibc
Version: 2.34
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: libc
Assignee: unassigned at sourceware dot org
Reporter: alacki93 at gmail dot com
CC: drepper.fsp at gmail dot com
Target Milestone: ---
I found that glibc with support for 64-bit time could crash process that uses
seccomp. Problem was figured in OpenSSH process. Test environment:
-Kernel 4.14.x
-32 bit ARM CPU
-glibc 2.34
-OpenSSH 8.9p1
-Toolchain: GCC 10
Syscall wrappers like a clock_gettime (sysdeps/unix/sysv/linux/clock_gettime.c)
first run syscall dedicated for kernels that support 64 bit time. If this
syscall failed with ENOSYS error, then glibc calls traditional variant for 32
bit time.
OpenSSH in source code tries to figure which syscalls are supported by kernel
and only supported syscalls are added as an allowed in seccomp
(https://github.com/openssh/openssh-portable/blob/master/sandbox-seccomp-filter.c).
Because kernel 4.14 doesn’t support syscalls for 64 bit time,
__NR_clock_gettime64 is not added as a trusted syscall to seccomp. As a result
OpenSSH process is killed by seccomp every time when it tries to use
clock_gettime from glibc.
I found that this problem affects OpenSSH, but probably there can be other
projects that uses seccomp in similar way. Proposed solution is to add a build
flag that could disable all syscalls with 64 bit time during glibc compilation.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 2+ messages in thread
* [Bug libc/29118] 64 bit time and seccomp conflict
2022-05-04 5:03 [Bug libc/29118] New: 64 bit time and seccomp conflict alacki93 at gmail dot com
@ 2022-05-04 10:02 ` fweimer at redhat dot com
0 siblings, 0 replies; 2+ messages in thread
From: fweimer at redhat dot com @ 2022-05-04 10:02 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=29118
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |INVALID
Status|UNCONFIRMED |RESOLVED
CC| |fweimer at redhat dot com
Flags| |security-
--- Comment #1 from Florian Weimer <fweimer at redhat dot com> ---
This really isn't a glibc problem. It looks like you'll have to build OpenSSH
with newer kernel headers, or contribute system call number constants for
32-bit Arm to the portable OpenSSH project.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-05-04 10:02 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-05-04 5:03 [Bug libc/29118] New: 64 bit time and seccomp conflict alacki93 at gmail dot com
2022-05-04 10:02 ` [Bug libc/29118] " fweimer at redhat dot com
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).