Bug#751417: linux-image-3.2.0-4-5kc-malta: no SIGKILL after prctl(PR_SET_SECCOMP, 1, ...) on MIPS

[Ben Hutchings <ben@decadent.org.uk>]

Control: tag -1 security upstream patch moreinfo
Control: severity -1 grave
Control: found -1 3.14.5-1

On Thu, 2014-06-12 at 16:19 +0000, Plamen Alexandrov wrote:
> Package: src:linux
> Version: 3.2.51-1
> Severity: normal
> 
> Under MIPS the system call prctl(PR_SET_SECCOMP, 1, ...) does not behave as expected.
> According to the manual page, after calling it with 1 as a second argument, any consecutive system calls other than read(), write(), _exit() and sigreturn() should result in the delivery of SIGKILL. However, under MIPS any consecutive system call behaves as if prctl(PR_SET_SECCOMP, 1, ...) was never called.
> 
> Here is a simple example that can be used to reproduce the bug:
> 
> plamen@debian-mips:/tmp$ id
> uid=1000(plamen) gid=1000(user) groups=1000(user)
> plamen@debian-mips:/tmp$ cat prctl.c 
> #include <unistd.h>
> #include <sys/prctl.h>
> #include <stdio.h>
> 
> int main(void)
> {
> 	if (prctl(PR_SET_SECCOMP, 1, 0, 0, 0) != 0)
> 		return 0;
> 	uid_t uid = getuid();
> 	printf("%u\n", (unsigned)uid);
> 	return 0;
> }
> plamen@debian-mips:/tmp$ gcc prctl.c -o prctl
> plamen@debian-mips:/tmp$ ./prctl 
> 1000
> 
> There is no change if I replace
> 	if (prctl(PR_SET_SECCOMP, 1, 0, 0, 0) != 0)
> with
> 	if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT, 0, 0, 0) != 0)
> and I add #include <linux/seccomp.h>

Indeed, I see no check for seccomp on the MIPS syscall 'fast path'.  The
seccomp check appears to be done on the 'slow path' which is used only
if tracing or audit is also enabled for the task.  If I run the above
program under strace, it is killed as expected.

Could you test whether the attached patches fix this?  (Instructions for
rebuilding the Debian kernel package with patches can be found at
<http://kernel-handbook.alioth.debian.org/ch-common-tasks.html#s-common-official>.  These patches apply to 'wheezy'.)

Ben.

-- 
Ben Hutchings
The program is absolutely right; therefore, the computer must be wrong.

From: Ralf Baechle <ralf@linux-mips.org>
Date: Wed, 29 May 2013 01:02:18 +0200
Subject: MIPS: Cleanup flags in syscall flags handlers.
Origin: https://git.kernel.org/linus/e7f3b48af7be9f8007a224663a5b91340626fed5

This will simplify further modifications.

Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
---
 arch/mips/include/asm/thread_info.h | 2 ++
 arch/mips/kernel/scall32-o32.S      | 2 +-
 arch/mips/kernel/scall64-64.S       | 2 +-
 arch/mips/kernel/scall64-n32.S      | 2 +-
 arch/mips/kernel/scall64-o32.S      | 2 +-
 5 files changed, 6 insertions(+), 4 deletions(-)

--- a/arch/mips/include/asm/thread_info.h
+++ b/arch/mips/include/asm/thread_info.h
@@ -149,6 +149,8 @@ register struct thread_info *__current_t
 #define _TIF_FPUBOUND		(1<<TIF_FPUBOUND)
 #define _TIF_LOAD_WATCH		(1<<TIF_LOAD_WATCH)
 
+#define _TIF_WORK_SYSCALL_ENTRY	(_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT)
+
 /* work to do in syscall_trace_leave() */
 #define _TIF_WORK_SYSCALL_EXIT	(_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT)
 
--- a/arch/mips/kernel/scall32-o32.S
+++ b/arch/mips/kernel/scall32-o32.S
@@ -52,7 +52,7 @@ NESTED(handle_sys, PT_SIZE, sp)
 
 stack_done:
 	lw	t0, TI_FLAGS($28)	# syscall tracing enabled?
-	li	t1, _TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT
+	li	t1, _TIF_WORK_SYSCALL_ENTRY
 	and	t0, t1
 	bnez	t0, syscall_trace_entry	# -> yes
 
--- a/arch/mips/kernel/scall64-64.S
+++ b/arch/mips/kernel/scall64-64.S
@@ -54,7 +54,7 @@ NESTED(handle_sys64, PT_SIZE, sp)
 
 	sd	a3, PT_R26(sp)		# save a3 for syscall restarting
 
-	li	t1, _TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT
+	li	t1, _TIF_WORK_SYSCALL_ENTRY
 	LONG_L	t0, TI_FLAGS($28)	# syscall tracing enabled?
 	and	t0, t1, t0
 	bnez	t0, syscall_trace_entry
--- a/arch/mips/kernel/scall64-n32.S
+++ b/arch/mips/kernel/scall64-n32.S
@@ -53,7 +53,7 @@ NESTED(handle_sysn32, PT_SIZE, sp)
 
 	sd	a3, PT_R26(sp)		# save a3 for syscall restarting
 
-	li	t1, _TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT
+	li	t1, _TIF_WORK_SYSCALL_ENTRY
 	LONG_L	t0, TI_FLAGS($28)	# syscall tracing enabled?
 	and	t0, t1, t0
 	bnez	t0, n32_syscall_trace_entry
--- a/arch/mips/kernel/scall64-o32.S
+++ b/arch/mips/kernel/scall64-o32.S
@@ -81,7 +81,7 @@ NESTED(handle_sys, PT_SIZE, sp)
 	PTR	4b, bad_stack
 	.previous
 
-	li	t1, _TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT
+	li	t1, _TIF_WORK_SYSCALL_ENTRY
 	LONG_L	t0, TI_FLAGS($28)	# syscall tracing enabled?
 	and	t0, t1, t0
 	bnez	t0, trace_a_syscall

--- a/arch/mips/include/asm/thread_info.h
+++ b/arch/mips/include/asm/thread_info.h
@@ -149,7 +149,7 @@ register struct thread_info *__current_t
 #define _TIF_FPUBOUND		(1<<TIF_FPUBOUND)
 #define _TIF_LOAD_WATCH		(1<<TIF_LOAD_WATCH)
 
-#define _TIF_WORK_SYSCALL_ENTRY	(_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT)
+#define _TIF_WORK_SYSCALL_ENTRY	(_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT | _TIF_SECCOMP)
 
 /* work to do in syscall_trace_leave() */
 #define _TIF_WORK_SYSCALL_EXIT	(_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT)

Attachment: signature.asc
Description: This is a digitally signed message part