Bug#1006445: marked as done (openssh-server: Killed by seccomp after accepting connection (i386))

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Fri, 25 Feb 2022 23:49:11 +0000
with message-id <E1nNkKl-000D8n-L4@fasolo.debian.org>
and subject line Bug#1006445: fixed in openssh 1:8.9p1-3
has caused the Debian Bug report #1006445,
regarding openssh-server: Killed by seccomp after accepting connection (i386)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1006445: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1006445
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: openssh-server: Killed by seccomp after accepting connection (i386)
• From: Paul Brook <paul@nowt.org>
• Date: Fri, 25 Feb 2022 14:14:58 +0000
• Message-id: <[🔎] 164579849847.1381.1150771042646990098.reportbug@jay.home>

Package: openssh-server
Version: 1:8.9p1-2.1
Severity: important
Tags: patch

Dear Maintainer,

After accepting an ssh connection, the sshd process is killed and I see
the following in dmesg:

audit: type=1326 audit(1645794361.669:40): auid=0 uid=100 gid=65534 ses=1 subj==unconfined pid=8338 comm="sshd" exe="/usr/sbin/sshd" sig=31 arch=40000003 syscall=414 compat=0 ip=0xb7ee3559 code=0x0

Sysycall 414 is ppoll_time64, so I'm guessing this is fallout from
ongoing 2038 fixes.

The attached patch fixes this by adding ppoll_time64 the seccomp sanbox filters,
which seems reasonable as ppoll is already allowed.

-- System Information:
Debian Release: bookworm/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 5.16.0-2-686-pae (SMP w/1 CPU thread; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages openssh-server depends on:
ii  adduser                3.118
ii  debconf [debconf-2.0]  1.5.79
ii  dpkg                   1.21.1
ii  init-system-helpers    1.62
ii  libaudit1              1:3.0.7-1
ii  libc6                  2.33-7
ii  libcom-err2            1.46.5-2
ii  libcrypt1              1:4.4.27-1.1
ii  libgssapi-krb5-2       1.19.2-2
ii  libkrb5-3              1.19.2-2
ii  libpam-modules         1.4.0-11
ii  libpam-runtime         1.4.0-11
ii  libpam0g               1.4.0-11
ii  libselinux1            3.3-1+b1
ii  libssl1.1              1.1.1m-1
ii  libsystemd0            250.3-2
ii  libwrap0               7.6.q-31
ii  lsb-base               11.1.0
ii  openssh-client         1:8.9p1-2.1
ii  openssh-sftp-server    1:8.9p1-2
ii  procps                 2:3.3.17-6
ii  runit-helper           2.10.3
ii  ucf                    3.0043
ii  zlib1g                 1:1.2.11.dfsg-2

Versions of packages openssh-server recommends:
ii  libpam-systemd [logind]  250.3-2
pn  ncurses-term             <none>
ii  xauth                    1:1.1-1

Versions of packages openssh-server suggests:
ii  molly-guard   0.7.2
pn  monkeysphere  <none>
pn  ssh-askpass   <none>
pn  ufw           <none>

-- debconf information:
  ssh/insecure_telnetd:
  ssh/vulnerable_host_keys:
* ssh/use_old_init_script: true
  ssh/new_config: true
  ssh/insecure_rshd:
* openssh-server/permit-root-login: true
  ssh/disable_cr_auth: false
  openssh-server/password-authentication: false
  ssh/encrypted_host_key_but_no_keygen:

diff -ur clean/sandbox-seccomp-filter.c openssh-8.9p1/sandbox-seccomp-filter.c
--- clean/sandbox-seccomp-filter.c	2022-02-23 11:31:11.000000000 +0000
+++ openssh-8.9p1/sandbox-seccomp-filter.c	2022-02-25 13:16:17.319892443 +0000
@@ -273,6 +273,9 @@
 #ifdef __NR__newselect
 	SC_ALLOW(__NR__newselect),
 #endif
+#ifdef __NR_ppoll_time64
+	SC_ALLOW(__NR_ppoll_time64),
+#endif
 #ifdef __NR_ppoll
 	SC_ALLOW(__NR_ppoll),
 #endif

--- End Message ---

--- Begin Message ---

• To: 1006445-close@bugs.debian.org
• Subject: Bug#1006445: fixed in openssh 1:8.9p1-3
• From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
• Date: Fri, 25 Feb 2022 23:49:11 +0000
• Message-id: <E1nNkKl-000D8n-L4@fasolo.debian.org>
• Reply-to: Colin Watson <cjwatson@debian.org>

Source: openssh
Source-Version: 1:8.9p1-3
Done: Colin Watson <cjwatson@debian.org>

We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1006445@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 25 Feb 2022 23:30:49 +0000
Source: openssh
Architecture: source
Version: 1:8.9p1-3
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Closes: 1006445
Changes:
 openssh (1:8.9p1-3) unstable; urgency=medium
 .
   * Allow ppoll_time64 in seccomp filter (closes: #1006445).
Checksums-Sha1:
 6bcada9d5d735eb6aaedd80b049078e4a0fb20b9 3347 openssh_8.9p1-3.dsc
 293975449fd17feac51d17ea297ee4dcc9fabe4b 187396 openssh_8.9p1-3.debian.tar.xz
Checksums-Sha256:
 a2a80fc6996b7515d78ba95a9af0bb2118c77c0c7667ec88800289cb3b37116a 3347 openssh_8.9p1-3.dsc
 622cf1c9ab5e804d39400d97ca2a57324c02773af0f27c60c20dcff22c82ca97 187396 openssh_8.9p1-3.debian.tar.xz
Files:
 c96150a1b2cfb8479b4742f0948e9d9a 3347 net standard openssh_8.9p1-3.dsc
 9d751b8e3262ebef8413ae311f8dd7d3 187396 net standard openssh_8.9p1-3.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAmIZZs8ACgkQOTWH2X2G
UAtJbg/+PhzuRz33ZtOoMtdBWzUe+2vS3uPV57+G6x94VX+G0TplHwiMrfAqJc9t
RHH85QqCBOe6qRN8emRUxOwm0MZsIUgStHcuvgqctkKzGT4RFucj3jc3B78G9SqS
WbIPqkHF2+755HAXgt+PWp9grvKVZ0ptrbRpoveeY6RSNXJqGtbqwmsCe31s6GXo
iLSxNlEkf+8vzlaV6fe4md/xYRFOZBBef63JtmY0geUODwWwVfMI3ExKHfdxnAZf
oaGMmZ5MqSatu/U6jhswGiNxgixsvo5E68dmtrCecyC0JzSlgYIXoWH3PUg5R6UT
lvvdjbJw9JJjuN2QfPZabWR+9RexW02ipTllhyD0s1N3fQNqhJBMiuQbwKa0BiQX
BACzCeSMhtow4KD53Me7OOcECAUy+i8wKgQ6egZ02xT2kFSO9+laoTFnEMeA1rtG
aan7Aj+7JspAzwSISqDkyMvXirmriTUrJf7PjyldQZuXVPFaq8Wzx5My95mTh9ad
nHXHIhl3TUCOzNQfzVa5jEvvcwdbE2h5zZs0bVgK8y6V8SYyyYwNJImMWPGK/uyU
/jMkt/KUTOafPntA7/4IfoyD90vMaehDH0Mk3feIk09eTIvpeLivV6m34NXpL3ax
z5g/TkrGAAlsj8aTJA2LsyPKu0jJSqQkN2qIoYDO+aGqA/I9uP0=
=zjET
-----END PGP SIGNATURE-----

--- End Message ---