Bug#1006445: openssh-server: Killed by seccomp after accepting connection (i386)
Package: openssh-server
Version: 1:8.9p1-2.1
Severity: important
Tags: patch
Dear Maintainer,
After accepting an ssh connection, the sshd process is killed and I see
the following in dmesg:
audit: type=1326 audit(1645794361.669:40): auid=0 uid=100 gid=65534 ses=1 subj==unconfined pid=8338 comm="sshd" exe="/usr/sbin/sshd" sig=31 arch=40000003 syscall=414 compat=0 ip=0xb7ee3559 code=0x0
Sysycall 414 is ppoll_time64, so I'm guessing this is fallout from
ongoing 2038 fixes.
The attached patch fixes this by adding ppoll_time64 the seccomp sanbox filters,
which seems reasonable as ppoll is already allowed.
-- System Information:
Debian Release: bookworm/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 5.16.0-2-686-pae (SMP w/1 CPU thread; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages openssh-server depends on:
ii adduser 3.118
ii debconf [debconf-2.0] 1.5.79
ii dpkg 1.21.1
ii init-system-helpers 1.62
ii libaudit1 1:3.0.7-1
ii libc6 2.33-7
ii libcom-err2 1.46.5-2
ii libcrypt1 1:4.4.27-1.1
ii libgssapi-krb5-2 1.19.2-2
ii libkrb5-3 1.19.2-2
ii libpam-modules 1.4.0-11
ii libpam-runtime 1.4.0-11
ii libpam0g 1.4.0-11
ii libselinux1 3.3-1+b1
ii libssl1.1 1.1.1m-1
ii libsystemd0 250.3-2
ii libwrap0 7.6.q-31
ii lsb-base 11.1.0
ii openssh-client 1:8.9p1-2.1
ii openssh-sftp-server 1:8.9p1-2
ii procps 2:3.3.17-6
ii runit-helper 2.10.3
ii ucf 3.0043
ii zlib1g 1:1.2.11.dfsg-2
Versions of packages openssh-server recommends:
ii libpam-systemd [logind] 250.3-2
pn ncurses-term <none>
ii xauth 1:1.1-1
Versions of packages openssh-server suggests:
ii molly-guard 0.7.2
pn monkeysphere <none>
pn ssh-askpass <none>
pn ufw <none>
-- debconf information:
ssh/insecure_telnetd:
ssh/vulnerable_host_keys:
* ssh/use_old_init_script: true
ssh/new_config: true
ssh/insecure_rshd:
* openssh-server/permit-root-login: true
ssh/disable_cr_auth: false
openssh-server/password-authentication: false
ssh/encrypted_host_key_but_no_keygen:
diff -ur clean/sandbox-seccomp-filter.c openssh-8.9p1/sandbox-seccomp-filter.c
--- clean/sandbox-seccomp-filter.c 2022-02-23 11:31:11.000000000 +0000
+++ openssh-8.9p1/sandbox-seccomp-filter.c 2022-02-25 13:16:17.319892443 +0000
@@ -273,6 +273,9 @@
#ifdef __NR__newselect
SC_ALLOW(__NR__newselect),
#endif
+#ifdef __NR_ppoll_time64
+ SC_ALLOW(__NR_ppoll_time64),
+#endif
#ifdef __NR_ppoll
SC_ALLOW(__NR_ppoll),
#endif
Reply to: