Bug#751417: linux-image-3.2.0-4-5kc-malta: no SIGKILL after prctl(PR_SET_SECCOMP, 1, ...) on MIPS
On Thu, Jun 12, 2014 at 09:21:41PM +0100, Ben Hutchings wrote:
On Thu, 2014-06-12 at 20:36 +0100, Ben Hutchings wrote:
Control: tag -1 security upstream patch moreinfo
Control: severity -1 grave
Control: found -1 3.14.5-1
Aurelien Jarno pointed out this appears to be fixed upstream in 3.15:
commit 137f7df8cead00688524c82360930845396b8a21
Author: Markos Chandras markos.chand...@imgtec.com
Date: Wed Jan 22 14:40:00 2014 +
MIPS: asm: thread_info: Add _TIF_SECCOMP flag
It looks like this can be cherry-picked cleanly onto stable branches for
3.13 and 3.14. For 3.11 and 3.12, it will need trivial adjustment.
For branches older than 3.11, this needs to be cherry-picked first:
commit e7f3b48af7be9f8007a224663a5b91340626fed5
Author: Ralf Baechle r...@linux-mips.org
Date: Wed May 29 01:02:18 2013 +0200
MIPS: Cleanup flags in syscall flags handlers.
Ben.
Thank you, I'm queuing this for the 3.11 kernel.
Cheers,
--
Luís
On Thu, 2014-06-12 at 16:19 +, Plamen Alexandrov wrote:
Package: src:linux
Version: 3.2.51-1
Severity: normal
Under MIPS the system call prctl(PR_SET_SECCOMP, 1, ...) does not behave
as expected.
According to the manual page, after calling it with 1 as a second
argument, any consecutive system calls other than read(), write(),
_exit() and sigreturn() should result in the delivery of SIGKILL.
However, under MIPS any consecutive system call behaves as if
prctl(PR_SET_SECCOMP, 1, ...) was never called.
Here is a simple example that can be used to reproduce the bug:
plamen@debian-mips:/tmp$ id
uid=1000(plamen) gid=1000(user) groups=1000(user)
plamen@debian-mips:/tmp$ cat prctl.c
#include unistd.h
#include sys/prctl.h
#include stdio.h
int main(void)
{
if (prctl(PR_SET_SECCOMP, 1, 0, 0, 0) != 0)
return 0;
uid_t uid = getuid();
printf(%u\n, (unsigned)uid);
return 0;
}
plamen@debian-mips:/tmp$ gcc prctl.c -o prctl
plamen@debian-mips:/tmp$ ./prctl
1000
There is no change if I replace
if (prctl(PR_SET_SECCOMP, 1, 0, 0, 0) != 0)
with
if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT, 0, 0, 0) != 0)
and I add #include linux/seccomp.h
Indeed, I see no check for seccomp on the MIPS syscall 'fast path'. The
seccomp check appears to be done on the 'slow path' which is used only
if tracing or audit is also enabled for the task. If I run the above
program under strace, it is killed as expected.
Could you test whether the attached patches fix this? (Instructions for
rebuilding the Debian kernel package with patches can be found at
http://kernel-handbook.alioth.debian.org/ch-common-tasks.html#s-common-official.
These patches apply to 'wheezy'.)
Ben.
--
Ben Hutchings
The program is absolutely right; therefore, the computer must be wrong.
--
To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: https://lists.debian.org/20140623091922.GC4214@hercules
Bug#751417: (Linux kernel) Bug#751417: linux-image-3.2.0-4-5kc-malta: no SIGKILL after prctl(PR_SET_SECCOMP, 1, ...) on MIPS
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 According to the manual page, after calling it with 1 as a second argument, any consecutive system calls other than read(), write(), _exit() and sigreturn() should result in the delivery of SIGKILL. However, under MIPS any consecutive system call behaves as if prctl(PR_SET_SECCOMP, 1, ...) was never called. I see no check for seccomp on the MIPS syscall 'fast path'. The seccomp check appears to be done on the 'slow path' which is used only if tracing or audit is also enabled for the task. If I run the above program under strace, it is killed as expected. Use CVE-2014-4157. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJToL2jAAoJEKllVAevmvmswgUIAJbfESCClCJ35JPb7mukT3nC VFCIPzdiVqXNB/3OvC3hRUqY2J5TffMwYNnTiUJ3MtRcbbJXHf24lK3IM3H8/b7A 7ZpxBh7cZSeEX+d2+uOZqVW1DDJQ0BmmYHV0tlRI0jry2GAPvGdrBpVAKmxe+fvg 6qnceILeat1/1M4fbIabw683gjwZktF0S11LvSvn0OCSPM/sPK0cKMO5m0NEQzwI 2NZWljHvNpQ851Lpe7ICvDVr1v9PmgnsA+oHvqzZ46gXocrBcwMvlyP1xIFm/Ajk UZoE5jpP/dpXMS4/aTO+ucivLNKNjav741lKRg8MIBK274iKaWcUPv15aDdoYBw= =ycHE -END PGP SIGNATURE- -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/201406172218.s5hmi3hp000...@linus.mitre.org
Bug#751417: linux-image-3.2.0-4-5kc-malta: no SIGKILL after prctl(PR_SET_SECCOMP, 1, ...) on MIPS
On dim., 2014-06-15 at 19:31 +0100, Ben Hutchings wrote: Please can you assign a CVE ID to this bug? Hi Ben, we usually don't assign CVE from our pool for public issues, and I'm especially reluctant here as I don't know if someone else aware of this issue could have assign one. So I'm asking on oss-sec to assign one so it gets some publicity for security people and someone has a chance to yell if a CVE has already been assigned. oss-sec / MITRE: it seems that SECCOMP on MIPS doesn't behave properly (see [1] for all the details). I'm unsure when it started (I guess when seccomp was first added to MIPS, it seems at least 3.2 is affected), and it's fixed in 3.15 (with 137f7df8cead00688524c82360930845396b8a21). Can someone assign a CVE is this is indeed a new issue? Regards, [1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=751417 -- Yves-Alexis signature.asc Description: This is a digitally signed message part
Bug#751417: linux-image-3.2.0-4-5kc-malta: no SIGKILL after prctl(PR_SET_SECCOMP, 1, ...) on MIPS
Please can you assign a CVE ID to this bug? Ben. -- Ben Hutchings Tomorrow will be cancelled due to lack of interest. signature.asc Description: This is a digitally signed message part
Processed: Re: Bug#751417: linux-image-3.2.0-4-5kc-malta: no SIGKILL after prctl(PR_SET_SECCOMP, 1, ...) on MIPS
Processing control commands: tag -1 - moreinfo Bug #751417 [src:linux] linux-image-3.2.0-4-5kc-malta: no SIGKILL after prctl(PR_SET_SECCOMP, 1, ...) on MIPS Removed tag(s) moreinfo. -- 751417: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=751417 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/handler.s.b751417.140285721215404.transcr...@bugs.debian.org
Bug#751417: linux-image-3.2.0-4-5kc-malta: no SIGKILL after prctl(PR_SET_SECCOMP, 1, ...) on MIPS
Control: tag -1 - moreinfo On Thu, 2014-06-12 at 20:36 +0100, Ben Hutchings wrote: [...] Could you test whether the attached patches fix this? (Instructions for rebuilding the Debian kernel package with patches can be found at http://kernel-handbook.alioth.debian.org/ch-common-tasks.html#s-common-official. These patches apply to 'wheezy'.) I've now tested these patches myself, so you don't need to do this. Ben. -- Ben Hutchings Tomorrow will be cancelled due to lack of interest. signature.asc Description: This is a digitally signed message part
Bug#751417: linux-image-3.2.0-4-5kc-malta: no SIGKILL after prctl(PR_SET_SECCOMP, 1, ...) on MIPS
On Thu, 2014-06-12 at 14:59 -0700, Greg KH wrote: On Thu, Jun 12, 2014 at 10:10:59PM +0100, Ben Hutchings wrote: On Thu, 2014-06-12 at 14:05 -0700, Greg KH wrote: On Thu, Jun 12, 2014 at 02:03:23PM -0700, Greg KH wrote: On Thu, Jun 12, 2014 at 09:21:41PM +0100, Ben Hutchings wrote: On Thu, 2014-06-12 at 20:36 +0100, Ben Hutchings wrote: Control: tag -1 security upstream patch moreinfo Control: severity -1 grave Control: found -1 3.14.5-1 Aurelien Jarno pointed out this appears to be fixed upstream in 3.15: commit 137f7df8cead00688524c82360930845396b8a21 Author: Markos Chandras markos.chand...@imgtec.com Date: Wed Jan 22 14:40:00 2014 + MIPS: asm: thread_info: Add _TIF_SECCOMP flag It looks like this can be cherry-picked cleanly onto stable branches for 3.13 and 3.14. For 3.11 and 3.12, it will need trivial adjustment. For branches older than 3.11, this needs to be cherry-picked first: commit e7f3b48af7be9f8007a224663a5b91340626fed5 Author: Ralf Baechle r...@linux-mips.org Date: Wed May 29 01:02:18 2013 +0200 MIPS: Cleanup flags in syscall flags handlers. It also needs parts of 1d7bf993e0731b4ac790667c196b2a2d787f95c3 (MIPS: ftrace: Add support for syscall tracepoints.) to apply properly to stuff older than 3.11. But, I'm not so sure that is good to apply as that is a whole new feature. So I think I'll just do this by hand to get it to work properly... Wait, no, SECCOMP for MIPS isn't even in 3.10 or older kernels, so why is this a 3.2 issue? Did you add it there to your kernel for some reason? Seccomp mode 2 (i.e. filtering with BPF) was only just implenented for MIPS in 3.15. Mode 1 (fixed set of syscalls) was implemented long ago. Really? I don't see _TIF_SECCOMP in the mips asm files in 3.10. I don't feel comfortable backporting it to 3.10 or 3.4, are you going to do that for 3.2? I'm attaching the backport to 3.2 which I've now been able to test. It appears to apply cleanly to 3.4 and 3.10 as well. (MIPS: Cleanup flags in syscall flags handlers. applies to all branches with some fuzz.) (If prctl(PR_SET_SECCOMP) could return success when CONFIG_SECCOMP is not enabled, that would be even worse!) True, but this seems to have always been broken, right? :) Yes, so far as I can see. Ben. -- Ben Hutchings Tomorrow will be cancelled due to lack of interest. From: Markos Chandras markos.chand...@imgtec.com Date: Wed, 22 Jan 2014 14:40:00 + Subject: MIPS: asm: thread_info: Add _TIF_SECCOMP flag Origin: https://git.kernel.org/linus/137f7df8cead00688524c82360930845396b8a21 Add _TIF_SECCOMP flag to _TIF_WORK_SYSCALL_ENTRY to indicate that the system call needs to be checked against a seccomp filter. Signed-off-by: Markos Chandras markos.chand...@imgtec.com Reviewed-by: Paul Burton paul.bur...@imgtec.com Reviewed-by: James Hogan james.ho...@imgtec.com Cc: linux-m...@linux-mips.org Patchwork: https://patchwork.linux-mips.org/patch/6405/ Signed-off-by: Ralf Baechle r...@linux-mips.org [bwh: Backported to 3.2: various other flags are not included in _TIF_WORK_SYSCALL_ENTRY] Signed-off-by: Ben Hutchings b...@decadent.org.uk --- --- a/arch/mips/include/asm/thread_info.h +++ b/arch/mips/include/asm/thread_info.h @@ -149,7 +149,7 @@ register struct thread_info *__current_t #define _TIF_FPUBOUND (1TIF_FPUBOUND) #define _TIF_LOAD_WATCH (1TIF_LOAD_WATCH) -#define _TIF_WORK_SYSCALL_ENTRY (_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT) +#define _TIF_WORK_SYSCALL_ENTRY (_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT | _TIF_SECCOMP) /* work to do in syscall_trace_leave() */ #define _TIF_WORK_SYSCALL_EXIT (_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT) signature.asc Description: This is a digitally signed message part
Bug#751417: linux-image-3.2.0-4-5kc-malta: no SIGKILL after prctl(PR_SET_SECCOMP, 1, ...) on MIPS
Package: src:linux
Version: 3.2.51-1
Severity: normal
Under MIPS the system call prctl(PR_SET_SECCOMP, 1, ...) does not behave as
expected.
According to the manual page, after calling it with 1 as a second argument, any
consecutive system calls other than read(), write(), _exit() and sigreturn()
should result in the delivery of SIGKILL. However, under MIPS any consecutive
system call behaves as if prctl(PR_SET_SECCOMP, 1, ...) was never called.
Here is a simple example that can be used to reproduce the bug:
plamen@debian-mips:/tmp$ id
uid=1000(plamen) gid=1000(user) groups=1000(user)
plamen@debian-mips:/tmp$ cat prctl.c
#include unistd.h
#include sys/prctl.h
#include stdio.h
int main(void)
{
if (prctl(PR_SET_SECCOMP, 1, 0, 0, 0) != 0)
return 0;
uid_t uid = getuid();
printf(%u\n, (unsigned)uid);
return 0;
}
plamen@debian-mips:/tmp$ gcc prctl.c -o prctl
plamen@debian-mips:/tmp$ ./prctl
1000
There is no change if I replace
if (prctl(PR_SET_SECCOMP, 1, 0, 0, 0) != 0)
with
if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT, 0, 0, 0) != 0)
and I add #include linux/seccomp.h
-- Package-specific info:
** Version:
Linux version 3.2.0-4-5kc-malta (debian-kernel@lists.debian.org) (gcc version
4.6.3 (Debian 4.6.3-14) ) #1 Debian 3.2.51-1
** Command line:
root=/dev/sda1 console=ttyS0 mem=256m@0x0 mem=768m@0x9000
** Not tainted
** Kernel log:
[0.588000] scsi0 : ata_piix
[0.588000] scsi1 : ata_piix
[0.592000] ata1: PATA max UDMA/33 cmd 0x1f0 ctl 0x3f6 bmdma 0x1040 irq 14
[0.592000] ata2: PATA max UDMA/33 cmd 0x170 ctl 0x376 bmdma 0x1048 irq 15
[0.60] pcnet32: pcnet32.c:v1.35 21.Apr.2008 tsbog...@alpha.franken.de
[0.60] PCI: Enabling device :00:0b.0 ( - 0003)
[0.60] PCI: Setting latency timer of device :00:0b.0 to 64
[0.604000] pcnet32: PCnet/PCI II 79C970A at 0x1020, 52:54:00:12:34:56
assigned IRQ 10
[0.608000] pcnet32: eth0: registered as PCnet/PCI II 79C970A
[0.608000] pcnet32: 1 cards_found
[0.608000] serio: i8042 KBD port at 0x60,0x64 irq 1
[0.612000] serio: i8042 AUX port at 0x60,0x64 irq 12
[0.612000] mousedev: PS/2 mouse device common for all mice
[0.62] rtc_cmos rtc_cmos: rtc core: registered rtc_cmos as rtc0
[0.62] rtc0: alarms up to one day, 242 bytes nvram
[0.62] TCP cubic registered
[0.62] NET: Registered protocol family 17
[0.624000] Registering the dns_resolver key type
[0.624000] PM: Hibernation image not present or could not be loaded.
[0.624000] registered taskstats version 1
[0.628000] rtc_cmos rtc_cmos: setting system clock to 2014-06-09 17:52:47
UTC (1402336367)
[0.628000] Initializing network drop monitor service
[0.716000] input: AT Raw Set 2 keyboard as
/devices/platform/i8042/serio0/input/input0
[0.752000] ata1.01: NODEV after polling detection
[0.756000] ata2.01: NODEV after polling detection
[0.756000] ata2.00: ATAPI: QEMU DVD-ROM, 2.0.0, max UDMA/100
[0.76] ata1.00: ATA-7: QEMU HARDDISK, 2.0.0, max UDMA/100
[0.76] ata1.00: 52428800 sectors, multi 16: LBA48
[0.76] ata2.00: configured for UDMA/33
[0.764000] ata1.00: configured for UDMA/33
[0.776000] scsi 0:0:0:0: Direct-Access ATA QEMU HARDDISK2.0.
PQ: 0 ANSI: 5
[0.784000] scsi 1:0:0:0: CD-ROMQEMU QEMU DVD-ROM 2.0.
PQ: 0 ANSI: 5
[0.788000] sd 0:0:0:0: [sda] 52428800 512-byte logical blocks: (26.8
GB/25.0 GiB)
[0.788000] sd 0:0:0:0: [sda] Write Protect is off
[0.788000] sd 0:0:0:0: [sda] Mode Sense: 00 3a 00 00
[0.792000] sd 0:0:0:0: [sda] Write cache: enabled, read cache: enabled,
doesn't support DPO or FUA
[0.804000] sda: sda1 sda2 sda5
[0.816000] sd 0:0:0:0: [sda] Attached SCSI disk
[0.82] EXT4-fs (sda1): couldn't mount as ext3 due to feature
incompatibilities
[0.824000] EXT4-fs (sda1): couldn't mount as ext2 due to feature
incompatibilities
[0.832000] EXT4-fs (sda1): INFO: recovery required on readonly filesystem
[0.832000] EXT4-fs (sda1): write access will be enabled during recovery
[4.948000] EXT4-fs (sda1): orphan cleanup on readonly fs
[4.988000] EXT4-fs (sda1): ext4_orphan_cleanup: deleting unreferenced inode
262260
[5.012000] EXT4-fs (sda1): ext4_orphan_cleanup: deleting unreferenced inode
272468
[5.012000] EXT4-fs (sda1): ext4_orphan_cleanup: deleting unreferenced inode
787635
[5.012000] EXT4-fs (sda1): ext4_orphan_cleanup: deleting unreferenced inode
787637
[5.012000] EXT4-fs (sda1): ext4_orphan_cleanup: deleting unreferenced inode
787638
[5.012000] EXT4-fs (sda1): ext4_orphan_cleanup: deleting unreferenced inode
787642
[5.012000] EXT4-fs (sda1): ext4_orphan_cleanup: deleting unreferenced inode
787647
[5.012000] EXT4-fs (sda1): ext4_orphan_cleanup: deleting unreferenced inode
787650
[5.012000] EXT4-fs (sda1): ext4_orphan_cleanup: deleting
Bug#751417: linux-image-3.2.0-4-5kc-malta: no SIGKILL after prctl(PR_SET_SECCOMP, 1, ...) on MIPS
Control: tag -1 security upstream patch moreinfo
Control: severity -1 grave
Control: found -1 3.14.5-1
On Thu, 2014-06-12 at 16:19 +, Plamen Alexandrov wrote:
Package: src:linux
Version: 3.2.51-1
Severity: normal
Under MIPS the system call prctl(PR_SET_SECCOMP, 1, ...) does not behave as
expected.
According to the manual page, after calling it with 1 as a second argument,
any consecutive system calls other than read(), write(), _exit() and
sigreturn() should result in the delivery of SIGKILL. However, under MIPS any
consecutive system call behaves as if prctl(PR_SET_SECCOMP, 1, ...) was never
called.
Here is a simple example that can be used to reproduce the bug:
plamen@debian-mips:/tmp$ id
uid=1000(plamen) gid=1000(user) groups=1000(user)
plamen@debian-mips:/tmp$ cat prctl.c
#include unistd.h
#include sys/prctl.h
#include stdio.h
int main(void)
{
if (prctl(PR_SET_SECCOMP, 1, 0, 0, 0) != 0)
return 0;
uid_t uid = getuid();
printf(%u\n, (unsigned)uid);
return 0;
}
plamen@debian-mips:/tmp$ gcc prctl.c -o prctl
plamen@debian-mips:/tmp$ ./prctl
1000
There is no change if I replace
if (prctl(PR_SET_SECCOMP, 1, 0, 0, 0) != 0)
with
if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT, 0, 0, 0) != 0)
and I add #include linux/seccomp.h
Indeed, I see no check for seccomp on the MIPS syscall 'fast path'. The
seccomp check appears to be done on the 'slow path' which is used only
if tracing or audit is also enabled for the task. If I run the above
program under strace, it is killed as expected.
Could you test whether the attached patches fix this? (Instructions for
rebuilding the Debian kernel package with patches can be found at
http://kernel-handbook.alioth.debian.org/ch-common-tasks.html#s-common-official.
These patches apply to 'wheezy'.)
Ben.
--
Ben Hutchings
The program is absolutely right; therefore, the computer must be wrong.
From: Ralf Baechle r...@linux-mips.org
Date: Wed, 29 May 2013 01:02:18 +0200
Subject: MIPS: Cleanup flags in syscall flags handlers.
Origin: https://git.kernel.org/linus/e7f3b48af7be9f8007a224663a5b91340626fed5
This will simplify further modifications.
Signed-off-by: Ralf Baechle r...@linux-mips.org
---
arch/mips/include/asm/thread_info.h | 2 ++
arch/mips/kernel/scall32-o32.S | 2 +-
arch/mips/kernel/scall64-64.S | 2 +-
arch/mips/kernel/scall64-n32.S | 2 +-
arch/mips/kernel/scall64-o32.S | 2 +-
5 files changed, 6 insertions(+), 4 deletions(-)
--- a/arch/mips/include/asm/thread_info.h
+++ b/arch/mips/include/asm/thread_info.h
@@ -149,6 +149,8 @@ register struct thread_info *__current_t
#define _TIF_FPUBOUND (1TIF_FPUBOUND)
#define _TIF_LOAD_WATCH (1TIF_LOAD_WATCH)
+#define _TIF_WORK_SYSCALL_ENTRY (_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT)
+
/* work to do in syscall_trace_leave() */
#define _TIF_WORK_SYSCALL_EXIT (_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT)
--- a/arch/mips/kernel/scall32-o32.S
+++ b/arch/mips/kernel/scall32-o32.S
@@ -52,7 +52,7 @@ NESTED(handle_sys, PT_SIZE, sp)
stack_done:
lw t0, TI_FLAGS($28) # syscall tracing enabled?
- li t1, _TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT
+ li t1, _TIF_WORK_SYSCALL_ENTRY
and t0, t1
bnez t0, syscall_trace_entry # - yes
--- a/arch/mips/kernel/scall64-64.S
+++ b/arch/mips/kernel/scall64-64.S
@@ -54,7 +54,7 @@ NESTED(handle_sys64, PT_SIZE, sp)
sd a3, PT_R26(sp) # save a3 for syscall restarting
- li t1, _TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT
+ li t1, _TIF_WORK_SYSCALL_ENTRY
LONG_L t0, TI_FLAGS($28) # syscall tracing enabled?
and t0, t1, t0
bnez t0, syscall_trace_entry
--- a/arch/mips/kernel/scall64-n32.S
+++ b/arch/mips/kernel/scall64-n32.S
@@ -53,7 +53,7 @@ NESTED(handle_sysn32, PT_SIZE, sp)
sd a3, PT_R26(sp) # save a3 for syscall restarting
- li t1, _TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT
+ li t1, _TIF_WORK_SYSCALL_ENTRY
LONG_L t0, TI_FLAGS($28) # syscall tracing enabled?
and t0, t1, t0
bnez t0, n32_syscall_trace_entry
--- a/arch/mips/kernel/scall64-o32.S
+++ b/arch/mips/kernel/scall64-o32.S
@@ -81,7 +81,7 @@ NESTED(handle_sys, PT_SIZE, sp)
PTR 4b, bad_stack
.previous
- li t1, _TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT
+ li t1, _TIF_WORK_SYSCALL_ENTRY
LONG_L t0, TI_FLAGS($28) # syscall tracing enabled?
and t0, t1, t0
bnez t0, trace_a_syscall
--- a/arch/mips/include/asm/thread_info.h
+++ b/arch/mips/include/asm/thread_info.h
@@ -149,7 +149,7 @@ register struct thread_info *__current_t
#define _TIF_FPUBOUND (1TIF_FPUBOUND)
#define _TIF_LOAD_WATCH (1TIF_LOAD_WATCH)
-#define _TIF_WORK_SYSCALL_ENTRY (_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT)
+#define _TIF_WORK_SYSCALL_ENTRY (_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT | _TIF_SECCOMP)
/* work to do in syscall_trace_leave() */
#define _TIF_WORK_SYSCALL_EXIT (_TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT)
signature.asc
Description: This is a digitally signed message part
Processed: Re: Bug#751417: linux-image-3.2.0-4-5kc-malta: no SIGKILL after prctl(PR_SET_SECCOMP, 1, ...) on MIPS
Processing control commands: tag -1 security upstream patch moreinfo Bug #751417 [src:linux] linux-image-3.2.0-4-5kc-malta: no SIGKILL after prctl(PR_SET_SECCOMP, 1, ...) on MIPS Added tag(s) upstream, security, moreinfo, and patch. severity -1 grave Bug #751417 [src:linux] linux-image-3.2.0-4-5kc-malta: no SIGKILL after prctl(PR_SET_SECCOMP, 1, ...) on MIPS Severity set to 'grave' from 'normal' found -1 3.14.5-1 Bug #751417 [src:linux] linux-image-3.2.0-4-5kc-malta: no SIGKILL after prctl(PR_SET_SECCOMP, 1, ...) on MIPS Marked as found in versions linux/3.14.5-1. -- 751417: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=751417 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/handler.s.b751417.140260178329504.transcr...@bugs.debian.org
Bug#751417: linux-image-3.2.0-4-5kc-malta: no SIGKILL after prctl(PR_SET_SECCOMP, 1, ...) on MIPS
On Thu, 2014-06-12 at 20:36 +0100, Ben Hutchings wrote:
Control: tag -1 security upstream patch moreinfo
Control: severity -1 grave
Control: found -1 3.14.5-1
Aurelien Jarno pointed out this appears to be fixed upstream in 3.15:
commit 137f7df8cead00688524c82360930845396b8a21
Author: Markos Chandras markos.chand...@imgtec.com
Date: Wed Jan 22 14:40:00 2014 +
MIPS: asm: thread_info: Add _TIF_SECCOMP flag
It looks like this can be cherry-picked cleanly onto stable branches for
3.13 and 3.14. For 3.11 and 3.12, it will need trivial adjustment.
For branches older than 3.11, this needs to be cherry-picked first:
commit e7f3b48af7be9f8007a224663a5b91340626fed5
Author: Ralf Baechle r...@linux-mips.org
Date: Wed May 29 01:02:18 2013 +0200
MIPS: Cleanup flags in syscall flags handlers.
Ben.
On Thu, 2014-06-12 at 16:19 +, Plamen Alexandrov wrote:
Package: src:linux
Version: 3.2.51-1
Severity: normal
Under MIPS the system call prctl(PR_SET_SECCOMP, 1, ...) does not behave as
expected.
According to the manual page, after calling it with 1 as a second argument,
any consecutive system calls other than read(), write(), _exit() and
sigreturn() should result in the delivery of SIGKILL. However, under MIPS
any consecutive system call behaves as if prctl(PR_SET_SECCOMP, 1, ...) was
never called.
Here is a simple example that can be used to reproduce the bug:
plamen@debian-mips:/tmp$ id
uid=1000(plamen) gid=1000(user) groups=1000(user)
plamen@debian-mips:/tmp$ cat prctl.c
#include unistd.h
#include sys/prctl.h
#include stdio.h
int main(void)
{
if (prctl(PR_SET_SECCOMP, 1, 0, 0, 0) != 0)
return 0;
uid_t uid = getuid();
printf(%u\n, (unsigned)uid);
return 0;
}
plamen@debian-mips:/tmp$ gcc prctl.c -o prctl
plamen@debian-mips:/tmp$ ./prctl
1000
There is no change if I replace
if (prctl(PR_SET_SECCOMP, 1, 0, 0, 0) != 0)
with
if (prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT, 0, 0, 0) != 0)
and I add #include linux/seccomp.h
Indeed, I see no check for seccomp on the MIPS syscall 'fast path'. The
seccomp check appears to be done on the 'slow path' which is used only
if tracing or audit is also enabled for the task. If I run the above
program under strace, it is killed as expected.
Could you test whether the attached patches fix this? (Instructions for
rebuilding the Debian kernel package with patches can be found at
http://kernel-handbook.alioth.debian.org/ch-common-tasks.html#s-common-official.
These patches apply to 'wheezy'.)
Ben.
--
Ben Hutchings
The program is absolutely right; therefore, the computer must be wrong.
signature.asc
Description: This is a digitally signed message part
Bug#751417: linux-image-3.2.0-4-5kc-malta: no SIGKILL after prctl(PR_SET_SECCOMP, 1, ...) on MIPS
On Thu, Jun 12, 2014 at 09:21:41PM +0100, Ben Hutchings wrote: On Thu, 2014-06-12 at 20:36 +0100, Ben Hutchings wrote: Control: tag -1 security upstream patch moreinfo Control: severity -1 grave Control: found -1 3.14.5-1 Aurelien Jarno pointed out this appears to be fixed upstream in 3.15: commit 137f7df8cead00688524c82360930845396b8a21 Author: Markos Chandras markos.chand...@imgtec.com Date: Wed Jan 22 14:40:00 2014 + MIPS: asm: thread_info: Add _TIF_SECCOMP flag It looks like this can be cherry-picked cleanly onto stable branches for 3.13 and 3.14. For 3.11 and 3.12, it will need trivial adjustment. For branches older than 3.11, this needs to be cherry-picked first: commit e7f3b48af7be9f8007a224663a5b91340626fed5 Author: Ralf Baechle r...@linux-mips.org Date: Wed May 29 01:02:18 2013 +0200 MIPS: Cleanup flags in syscall flags handlers. It also needs parts of 1d7bf993e0731b4ac790667c196b2a2d787f95c3 (MIPS: ftrace: Add support for syscall tracepoints.) to apply properly to stuff older than 3.11. But, I'm not so sure that is good to apply as that is a whole new feature. So I think I'll just do this by hand to get it to work properly... thanks, greg k-h -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140612210323.ga30...@kroah.com
Bug#751417: linux-image-3.2.0-4-5kc-malta: no SIGKILL after prctl(PR_SET_SECCOMP, 1, ...) on MIPS
On Thu, Jun 12, 2014 at 02:03:23PM -0700, Greg KH wrote: On Thu, Jun 12, 2014 at 09:21:41PM +0100, Ben Hutchings wrote: On Thu, 2014-06-12 at 20:36 +0100, Ben Hutchings wrote: Control: tag -1 security upstream patch moreinfo Control: severity -1 grave Control: found -1 3.14.5-1 Aurelien Jarno pointed out this appears to be fixed upstream in 3.15: commit 137f7df8cead00688524c82360930845396b8a21 Author: Markos Chandras markos.chand...@imgtec.com Date: Wed Jan 22 14:40:00 2014 + MIPS: asm: thread_info: Add _TIF_SECCOMP flag It looks like this can be cherry-picked cleanly onto stable branches for 3.13 and 3.14. For 3.11 and 3.12, it will need trivial adjustment. For branches older than 3.11, this needs to be cherry-picked first: commit e7f3b48af7be9f8007a224663a5b91340626fed5 Author: Ralf Baechle r...@linux-mips.org Date: Wed May 29 01:02:18 2013 +0200 MIPS: Cleanup flags in syscall flags handlers. It also needs parts of 1d7bf993e0731b4ac790667c196b2a2d787f95c3 (MIPS: ftrace: Add support for syscall tracepoints.) to apply properly to stuff older than 3.11. But, I'm not so sure that is good to apply as that is a whole new feature. So I think I'll just do this by hand to get it to work properly... Wait, no, SECCOMP for MIPS isn't even in 3.10 or older kernels, so why is this a 3.2 issue? Did you add it there to your kernel for some reason? thanks, greg k-h -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140612210531.gb30...@kroah.com
Bug#751417: linux-image-3.2.0-4-5kc-malta: no SIGKILL after prctl(PR_SET_SECCOMP, 1, ...) on MIPS
On Thu, 2014-06-12 at 14:05 -0700, Greg KH wrote: On Thu, Jun 12, 2014 at 02:03:23PM -0700, Greg KH wrote: On Thu, Jun 12, 2014 at 09:21:41PM +0100, Ben Hutchings wrote: On Thu, 2014-06-12 at 20:36 +0100, Ben Hutchings wrote: Control: tag -1 security upstream patch moreinfo Control: severity -1 grave Control: found -1 3.14.5-1 Aurelien Jarno pointed out this appears to be fixed upstream in 3.15: commit 137f7df8cead00688524c82360930845396b8a21 Author: Markos Chandras markos.chand...@imgtec.com Date: Wed Jan 22 14:40:00 2014 + MIPS: asm: thread_info: Add _TIF_SECCOMP flag It looks like this can be cherry-picked cleanly onto stable branches for 3.13 and 3.14. For 3.11 and 3.12, it will need trivial adjustment. For branches older than 3.11, this needs to be cherry-picked first: commit e7f3b48af7be9f8007a224663a5b91340626fed5 Author: Ralf Baechle r...@linux-mips.org Date: Wed May 29 01:02:18 2013 +0200 MIPS: Cleanup flags in syscall flags handlers. It also needs parts of 1d7bf993e0731b4ac790667c196b2a2d787f95c3 (MIPS: ftrace: Add support for syscall tracepoints.) to apply properly to stuff older than 3.11. But, I'm not so sure that is good to apply as that is a whole new feature. So I think I'll just do this by hand to get it to work properly... Wait, no, SECCOMP for MIPS isn't even in 3.10 or older kernels, so why is this a 3.2 issue? Did you add it there to your kernel for some reason? Seccomp mode 2 (i.e. filtering with BPF) was only just implenented for MIPS in 3.15. Mode 1 (fixed set of syscalls) was implemented long ago. (If prctl(PR_SET_SECCOMP) could return success when CONFIG_SECCOMP is not enabled, that would be even worse!) Ben. -- Ben Hutchings The program is absolutely right; therefore, the computer must be wrong. signature.asc Description: This is a digitally signed message part
Bug#751417: linux-image-3.2.0-4-5kc-malta: no SIGKILL after prctl(PR_SET_SECCOMP, 1, ...) on MIPS
On Thu, Jun 12, 2014 at 10:10:59PM +0100, Ben Hutchings wrote: On Thu, 2014-06-12 at 14:05 -0700, Greg KH wrote: On Thu, Jun 12, 2014 at 02:03:23PM -0700, Greg KH wrote: On Thu, Jun 12, 2014 at 09:21:41PM +0100, Ben Hutchings wrote: On Thu, 2014-06-12 at 20:36 +0100, Ben Hutchings wrote: Control: tag -1 security upstream patch moreinfo Control: severity -1 grave Control: found -1 3.14.5-1 Aurelien Jarno pointed out this appears to be fixed upstream in 3.15: commit 137f7df8cead00688524c82360930845396b8a21 Author: Markos Chandras markos.chand...@imgtec.com Date: Wed Jan 22 14:40:00 2014 + MIPS: asm: thread_info: Add _TIF_SECCOMP flag It looks like this can be cherry-picked cleanly onto stable branches for 3.13 and 3.14. For 3.11 and 3.12, it will need trivial adjustment. For branches older than 3.11, this needs to be cherry-picked first: commit e7f3b48af7be9f8007a224663a5b91340626fed5 Author: Ralf Baechle r...@linux-mips.org Date: Wed May 29 01:02:18 2013 +0200 MIPS: Cleanup flags in syscall flags handlers. It also needs parts of 1d7bf993e0731b4ac790667c196b2a2d787f95c3 (MIPS: ftrace: Add support for syscall tracepoints.) to apply properly to stuff older than 3.11. But, I'm not so sure that is good to apply as that is a whole new feature. So I think I'll just do this by hand to get it to work properly... Wait, no, SECCOMP for MIPS isn't even in 3.10 or older kernels, so why is this a 3.2 issue? Did you add it there to your kernel for some reason? Seccomp mode 2 (i.e. filtering with BPF) was only just implenented for MIPS in 3.15. Mode 1 (fixed set of syscalls) was implemented long ago. Really? I don't see _TIF_SECCOMP in the mips asm files in 3.10. I don't feel comfortable backporting it to 3.10 or 3.4, are you going to do that for 3.2? (If prctl(PR_SET_SECCOMP) could return success when CONFIG_SECCOMP is not enabled, that would be even worse!) True, but this seems to have always been broken, right? :) thanks, greg k-h -- To UNSUBSCRIBE, email to debian-kernel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20140612215947.ga8...@kroah.com
