https://bugzilla.mindrot.org/show_bug.cgi?id=2590
Joshua Kinard <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|CLOSED |REOPENED Resolution|FIXED |--- CC| |[email protected] --- Comment #3 from Joshua Kinard <[email protected]> --- (In reply to Damien Miller from comment #1) > Patch applied - thank-you very much for doing the testing for these. > This will be in the openssh-7.3 release. I hate to reopen, but I found a corner case for MIPS broken by the MIPS whitelist. Specifically, the proposed whitelist does not account for MIPS N32 ABI (under mips64). Specifically: + mips64-*) + seccomp_audit_arch=AUDIT_ARCH_MIPS64 There needs to be another hook to somehow detect N32 and then set either AUDIT_ARCH_MIPS64 (big-endian) or AUDIT_ARCH_MIPSEL64N32 (little-endian). I believe there's a known/defined CHOST tuple to specify an N32 userland, but it's not common, so CHOST seems to be unreliable to detect this. I am not sure of another reasonable way to do so right now. Without this fix, on mips64/N32 platforms, "UsePrivilegeSeparation sandbox" will fail and not allow a client to connect. Per strace: [pid 1883] prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) = 0 [pid 1883] prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, {len=57, filter=0x565f3920}) = 0 [pid 1883] write(3, "\0\0\3|\10\24\270\256hb<\257-\30\216\214L\301\35\230\10\233\0\0\0\324curve2"..., 896 <unfinished ...> [pid 1883] --- SIGSYS {si_signo=SIGSYS, si_code=SYS_SECCOMP, si_call_addr=NULL, si_syscall=__NR_write, si_arch=AUDIT_ARCH_MIPS64N32} --- [pid 1883] <... write resumed> ) = -1 ERRNO_6001 (Unknown error 6001) [pid 1883] --- SIGSYS {si_signo=SIGSYS, si_code=SYS_SECCOMP, si_call_addr=NULL, si_syscall=__NR_write, si_arch=AUDIT_ARCH_MIPS64N32} --- [pid 1882] <... poll resumed> ) = 2 ([{fd=6, revents=POLLIN|POLLHUP}, {fd=7, revents=POLLHUP}]) [pid 1883] +++ killed by SIGSYS +++ [pid 1882] --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_KILLED, si_pid=1883, si_uid=22, si_status=SIGSYS, si_utime=0, si_stime=0} --- [pid 1882] read(7, "", 4) = 0 [pid 1882] close(7) = 0 [pid 1882] poll([{fd=6, events=POLLIN}], 1, -1) = 1 ([{fd=6, revents=POLLIN|POLLHUP}]) [pid 1882] read(6, "", 4) = 0 [pid 1882] kill(1883, SIGKILL) = 0 [pid 1882] exit_group(255) = ? [pid 1882] +++ exited with 255 +++ Switching to "UsePrivilegeSeparation yes" is a workaround, but seems suboptimal. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. _______________________________________________ openssh-bugs mailing list [email protected] https://lists.mindrot.org/mailman/listinfo/openssh-bugs
