Bug#738131: marked as done (libapache2-mpm-itk: seteuid() and various related functions are broken by seccomp syscall limits)

[Debian Bug Tracking System]

Your message dated Sat, 01 Mar 2014 13:19:02 +0000
with message-id <e1wjjok-0000we...@franck.debian.org>
and subject line Bug#738131: fixed in mpm-itk 2.4.7-02-1
has caused the Debian Bug report #738131,
regarding libapache2-mpm-itk: seteuid() and various related functions are 
broken by seccomp syscall limits
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
738131: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=738131
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: libapache2-mpm-itk
Version: 2.4.6-01-1
Severity: important

Dear Maintainer,


















Jason Rhinelander

--- mpm-itk-2.4.6-01.orig/seccomp.c	2013-07-10 07:22:20.000000000 -0400
+++ mpm-itk-2.4.6-01/seccomp.c	2014-02-07 17:16:55.139802820 -0500
@@ -95,7 +95,7 @@
     ++*pos;
 }
 
-static int limit_syscall_range(int syscall_to_match, int nr_args, int min, int max)
+static int limit_syscall_range(int syscall_to_match, int nr_args, __u32 min, __u32 max, __u32 or_eq)
 {
     static struct sock_filter syscall_filter[BPF_MAXINSNS];
 
@@ -108,6 +108,8 @@
 
     for (int i = 0; i < nr_args; ++i) {
         add_bpf_stmt(syscall_filter, &pos, BPF_LD + BPF_W + BPF_ABS, syscall_arg(i));
+        if (or_eq < min || or_eq > max)
+            add_bpf_jump(syscall_filter, &pos, BPF_JMP + BPF_JEQ + BPF_K, or_eq, 4, 0);
         add_bpf_jump(syscall_filter, &pos, BPF_JMP + BPF_JGE + BPF_K, min, 1, 0);
         add_bpf_stmt(syscall_filter, &pos, BPF_RET + BPF_K, SECCOMP_RET_ERRNO | EPERM);
         add_bpf_jump(syscall_filter, &pos, BPF_JMP + BPF_JGT + BPF_K, max, 0, 1);
@@ -128,6 +130,11 @@
     gid_t min_gid16 = (min_gid > 65535) ? 65535 : min_gid;
     gid_t max_gid16 = (max_gid > 65535) ? 65535 : max_gid;
 
+    uid_t minus_one = (uid_t) -1;
+#ifdef __i386__
+    __u16 minus_one16 = (__u16) -1;
+#endif // defined(__i386__)
+
     /* Apply a seccomp BPF to ourselves that disallows all setuid- and
      * setgid-like calls if the first argument is 0.  The list of calls comes from
      * the descriptions of CAP_SETUID and CAP_SETGID in capabilities(7), although
@@ -146,29 +153,43 @@
     if (apply_seccomp_filter(arch_filter, sizeof(arch_filter) / sizeof(arch_filter[0])) != 0) {
         return;
     }
-#ifdef __i386__
-    limit_syscall_range(__NR_setfsuid32, 1, min_uid, max_uid);
-    limit_syscall_range(__NR_setuid32, 1, min_uid, max_uid);
-    limit_syscall_range(__NR_setreuid32, 2, min_uid, max_uid);
-    limit_syscall_range(__NR_setresuid32, 3, min_uid, max_uid);
-#endif  // defined(__i386__)
-
-    limit_syscall_range(__NR_setfsuid, 1, min_uid16, max_uid16);
-    limit_syscall_range(__NR_setuid, 1, min_uid16, max_uid16);
-    limit_syscall_range(__NR_setreuid, 2, min_uid16, max_uid16);
-    limit_syscall_range(__NR_setresuid, 3, min_uid16, max_uid16);
 
 #ifdef __i386__
-    limit_syscall_range(__NR_setfsgid32, 1, min_gid, max_gid);
-    limit_syscall_range(__NR_setgid32, 1, min_gid, max_gid);
-    limit_syscall_range(__NR_setregid32, 2, min_gid, max_gid);
-    limit_syscall_range(__NR_setresgid32, 3, min_gid, max_gid);
-#endif  // defined(__i386__)
-
-    limit_syscall_range(__NR_setfsgid, 1, min_gid16, max_gid16);
-    limit_syscall_range(__NR_setgid, 1, min_gid16, max_gid16);
-    limit_syscall_range(__NR_setregid, 2, min_gid16, max_gid16);
-    limit_syscall_range(__NR_setresgid, 3, min_gid16, max_gid16);
+    /* Newer, 32-bit uid_t/gid_t syscalls: */
+    limit_syscall_range(__NR_setfsuid32, 1, min_uid, max_uid, minus_one);
+    limit_syscall_range(__NR_setuid32, 1, min_uid, max_uid, min_uid);
+    limit_syscall_range(__NR_setreuid32, 2, min_uid, max_uid, minus_one);
+    limit_syscall_range(__NR_setresuid32, 3, min_uid, max_uid, minus_one);
+
+    limit_syscall_range(__NR_setfsgid32, 1, min_gid, max_gid, minus_one);
+    limit_syscall_range(__NR_setgid32, 1, min_gid, max_gid, min_gid);
+    limit_syscall_range(__NR_setregid32, 2, min_gid, max_gid, minus_one);
+    limit_syscall_range(__NR_setresgid32, 3, min_gid, max_gid, minus_one);
+
+    /* Older 16-bit old_uid_t/old_gid_t syscalls: */
+    limit_syscall_range(__NR_setfsuid, 1, min_uid16, max_uid16, minus_one16);
+    limit_syscall_range(__NR_setuid, 1, min_uid16, max_uid16, min_uid16);
+    limit_syscall_range(__NR_setreuid, 2, min_uid16, max_uid16, minus_one16);
+    limit_syscall_range(__NR_setresuid, 3, min_uid16, max_uid16, minus_one16);
+
+    limit_syscall_range(__NR_setfsgid, 1, min_gid16, max_gid16, minus_one16);
+    limit_syscall_range(__NR_setgid, 1, min_gid16, max_gid16, min_gid16);
+    limit_syscall_range(__NR_setregid, 2, min_gid16, max_gid16, minus_one16);
+    limit_syscall_range(__NR_setresgid, 3, min_gid16, max_gid16, minus_one16);
+
+#else // not defined(__i386__)
+    /* Just one set of 32-bit uid_t/gid_t syscalls to worry about: */
+    limit_syscall_range(__NR_setfsuid, 1, min_uid, max_uid, minus_one);
+    limit_syscall_range(__NR_setuid, 1, min_uid, max_uid, min_uid);
+    limit_syscall_range(__NR_setreuid, 2, min_uid, max_uid, minus_one);
+    limit_syscall_range(__NR_setresuid, 3, min_uid, max_uid, minus_one);
+
+    limit_syscall_range(__NR_setfsgid, 1, min_gid, max_gid, minus_one);
+    limit_syscall_range(__NR_setgid, 1, min_gid, max_gid, min_gid);
+    limit_syscall_range(__NR_setregid, 2, min_gid, max_gid, minus_one);
+    limit_syscall_range(__NR_setresgid, 3, min_gid, max_gid, minus_one);
+#endif
+
 #else
     ap_log_error(APLOG_MARK, APLOG_INFO, APR_SUCCESS, ap_server_conf,
                  "Your platform or architecture does not support seccomp v2; "

The current version of mpm-itk breaks code attempting to do legitimate setuid-type operations because of the seccomp BPF protections. The reason stems from the fact that -1 is a permitted argument for syscalls that change multiple ID's at once, such as setresuid, to which (uid_t) -1 can be passed to indicate "don't change this value." Since (uid_t) -1 == 4294967295 for everything except the old 16-bit i386 syscalls, these do-nothing values well exceed the max_uid = 65535, and so these calls are blocked. Thus code which *should* be allowed (such as setresuid(-1, currentid, -1) return EPERM. In practice, this breaks anything that relies on uid changes that *should* be permitted: in my case, a cgi script that invokes ssh fails because ssh calls something with a -1 argument. The attached patch updates the filters to extend the syscall argument limits by allowing a specific value outside that min...max range, and -1 is passed for this value where needed. Thus in effect the uid/gid syscall limits now allow anything in [min, max], and also -1. With the patch, -1 is allowed for all the arguments of the blocked syscalls except for __NR_setuid/__NR_setgid (and the ...32 version on i386): -1 isn't a special value there. -1 isn't special for __NR_setfsuid (and ...gid), either, but since man setfsuid specifically suggests calling setfsuid a second time (with -1 as an argument) to detect failures, I allowed it for those syscalls, too. (I also had to reorganize the various limit_syscall_range code because the -1 value ((__u16) -1 == 65535) for the i386, 16-bit __NR_set*uid calls doesn't coincide with the ((uid_t) -1 == 4294967295) value of non-i386's __NR_set*uid syscalls.) I tested the code (on amd64) by extracting the capabilities and BPF filter code into a test program, to make sure it was working, and indeed it is: after the limits, all the restricted functions are indeed restricted, while the various seteuid and related failures are now fixed.

smime.p7s
Description: S/MIME Cryptographic Signature

--- End Message ---

--- Begin Message ---

Source: mpm-itk
Source-Version: 2.4.7-02-1

We believe that the bug you reported is fixed in the latest version of
mpm-itk, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 738...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Steinar H. Gunderson <se...@debian.org> (supplier of updated mpm-itk package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 01 Mar 2014 14:14:02 +0100
Source: mpm-itk
Binary: libapache2-mpm-itk
Architecture: source amd64
Version: 2.4.7-02-1
Distribution: unstable
Urgency: medium
Maintainer: Steinar H. Gunderson <se...@debian.org>
Changed-By: Steinar H. Gunderson <se...@debian.org>
Description: 
 libapache2-mpm-itk - multiuser module for Apache
Closes: 738131
Changes: 
 mpm-itk (2.4.7-02-1) unstable; urgency=medium
 .
   * New upstream release.
     - In the seccomp.c filter, allow -1 as value in certain system calls,
       as it means not to change the given value. Heavily based on patch
       from Jason Rhineland. (Closes: #738131)
Checksums-Sha1: 
 94d0c05599b1fe6ff56d12d8fe1a4829fc13c235 1764 mpm-itk_2.4.7-02-1.dsc
 09dd4516517c38f61a6c86164c1f59f5ba19a876 45450 mpm-itk_2.4.7-02.orig.tar.gz
 c68cfa39785d4be7e0f376501580514bd4fb4876 2432 mpm-itk_2.4.7-02-1.debian.tar.xz
 772f528341084fc1ca6cecebb3cf1e884464ad90 13336 
libapache2-mpm-itk_2.4.7-02-1_amd64.deb
Checksums-Sha256: 
 0557ce8a76c4fdb54fd0e7da50afaaa4071d91552b6ed1728d89c2c577839e77 1764 
mpm-itk_2.4.7-02-1.dsc
 f12656326a1d3b92fefe63446032f0939ed9c803d4d9a1f89bae318eb3432e75 45450 
mpm-itk_2.4.7-02.orig.tar.gz
 87e22aa3a4ba2136204e8f9e429e9a1e5b48c55ec59b14634a977d153bb2cbc8 2432 
mpm-itk_2.4.7-02-1.debian.tar.xz
 4ee910ce88f46424f4d45cae9e65a4d8bfff8f743d64bbbeff344d31e2c68c97 13336 
libapache2-mpm-itk_2.4.7-02-1_amd64.deb
Files: 
 90ed79bf63934847bd3d28ed75f79fea 1764 web optional mpm-itk_2.4.7-02-1.dsc
 241eddeef8d3931c6699a51d5d2169a7 45450 web optional 
mpm-itk_2.4.7-02.orig.tar.gz
 b30259a4ddd7184ea8076438abff361a 2432 web optional 
mpm-itk_2.4.7-02-1.debian.tar.xz
 717034ceca58ba692d993df2b6050c0c 13336 libs optional 
libapache2-mpm-itk_2.4.7-02-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJTEd3AAAoJEH9hdWF3l492ra8QANBYUrYliENyMk4tbAIthoXN
C6Y+ZMqMnhVEJ+O8EKdpEBMXrmMHenivbuoc3KU6hvrtw19ileJuybnx35Gi2x5j
Ub4k/lr9d4EcHFO4uX59szdg7dJhdrpYnCkgU6CIRDLcYQ87vVudByxqj9XW3+fp
U760a1pzRrAN0XokZuDF4hbJKoSwOiPjaSwjk4xgHGeJshx1+XP105YY6gBn2OVz
uMIcs9OjjNSrN2hTbitNcqho+ISlCWeFwyuUxGZclwCP3DUqgK7cHZiksm6DW935
vIox1SZovvGzRRdMVjdAq7pR+52KRP4w5LKuTnTyHgnWWF+B6liZEZfIZ+e5RqNC
BRAH9p3fCT5TXobcTrheNfwwFTVpX+ZItBs9+rFxmnaZHNuWIZ4v4skNwu5XQKZH
h2ypQRlVuGn5YM5KlW+TfpoE2I8Sdn4B9iHBylirw24IkTU+eJ9jQHofq7qlSpxB
WpJMDlcVZ+PhoZTxtj4jzScXerOcS61coH9wY8oD7SqP3jj/HbZ0nYKEIV055J2O
EI7utCvOsA8ecVrlO5LBi8stEh/wXREvdqqdsPlxMcSYI+RP2OVOCkPYXqIj3md7
GczO0KE3yUQtsysvvKm7rq6G1g6T0Uv7jF83s1X5Sw2Pvg7cE2M5GqfWbPgYcFmF
zBbboDakKiTdurOAskaT
=wKHA
-----END PGP SIGNATURE-----

--- End Message ---