[Buildroot] [Bug 14796] New: 64 bit time and seccomp conflict (OpenSSH server crash)

From: bugzilla@busybox.net
To: buildroot@uclibc.org
Subject: [Buildroot] [Bug 14796] New: 64 bit time and seccomp conflict (OpenSSH server crash)
Date: Tue, 10 May 2022 06:54:57 +0000	[thread overview]
Message-ID: <bug-14796-163@https.bugs.busybox.net/> (raw)

https://bugs.busybox.net/show_bug.cgi?id=14796

            Bug ID: 14796
           Summary: 64 bit time and seccomp conflict (OpenSSH server
                    crash)
           Product: buildroot
           Version: 2022.02
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: major
          Priority: P5
         Component: Other
          Assignee: unassigned@buildroot.uclibc.org
          Reporter: alacki93@gmail.com
                CC: buildroot@uclibc.org
  Target Milestone: ---

I found that glibc with support for 64-bit time could crash OpenSSH (sshd)
process with enabled seccomp. Test environment:
-Kernel 4.14.x with enabled seccomp
-32 bit ARM CPU
-glibc 2.34
-OpenSSH 8.9p1 with enabled seccomp sandbox
-Toolchain: GCC 10

Syscall wrappers like a clock_gettime
(https://github.com/bminor/glibc/blob/glibc-2.34/sysdeps/unix/sysv/linux/clock_gettime.c)
first run syscall dedicated for kernels that support 64 bit time. If this
syscall failed with ENOSYS error, then glibc calls traditional variant for 32
bit time. If you run sshd with strace you can find entries like this:

4628 clock_gettime64(CLOCK_BOOTTIME, 0xbe8c1488) = -1 ENOSYS (Function not
implemented)
4628 clock_gettime(CLOCK_BOOTTIME, {tv_sec=247, tv_nsec=653301168}) = 0

Usually this is not a problem, but sshd uses seccomp. OpenSSH in its source
code adds to seccomp syscalls that can be found in kernel headers
(https://github.com/openssh/openssh-portable/blob/master/sandbox-seccomp-filter.c).
If you use kernel without support for 64 bit time then related syscalls are not
registered as allowed in seccomp. If sshd tries to use clock_gettime from glibc
after initializing seccomp, the process will be killed:

4637 clock_gettime64(CLOCK_BOOTTIME, <unfinished ...>
4637 <... clock_gettime64 resumed> <unfinished ...>) = ?
4637 +++ killed by SIGSYS +++
4628 --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_KILLED, si_pid=4637,
si_uid=101, si_status=SIGSYS, si_utime=4, si_stime=0} ---
4628 kill(4637, SIGKILL)

From user's perspective it looks like connection with server was closed before
any password prompt.

Support for 64-bit time has been added in kernel 5.1
(https://www.phoronix.com/scan.php?page=news_item&px=Linux-5.1-Year-2038-Syscalls).
Older (but still supported) kernels like 4.14 don’t have this feature.

Temporary solutions to fix this bug are:
-Building OpenSSH without seccomp
-Building kernel without seccomp
-Patching glibc to remove clock_gettime64 syscall (and other syscalls that use
64 bit time).

Disabling seccomp is the easiest workaround, but it decreases security of sshd.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot