------- Comment From s...@de.ibm.com 2020-07-24 10:47 EDT-------
I've found the relevant code. It's the flatpak package. For a test on my s390x
machine, I've just changed the check from arg 0 to arg 1:
diff -uNr ./flatpak-1.6.3/common/flatpak-run.orig.c
./flatpak-1.6.3/common/flatpak-run.c
--- ./flatpak-1.6.3/common/flatpak-run.orig.c 2020-07-24 15:57:17.583312438
+0200
+++ ./flatpak-1.6.3/common/flatpak-run.c 2020-07-24 16:23:35.880965987
+0200
@@ -2632,7 +2632,7 @@
{SCMP_SYS (unshare)},
{SCMP_SYS (mount)},
{SCMP_SYS (pivot_root)},
- {SCMP_SYS (clone), &SCMP_A0 (SCMP_CMP_MASKED_EQ, CLONE_NEWUSER,
CLONE_NEWUSER)},
+ {SCMP_SYS (clone), &SCMP_A1 (SCMP_CMP_MASKED_EQ, CLONE_NEWUSER,
CLONE_NEWUSER)},
/* Don't allow faking input to the controlling tty (CVE-2017-5226) */
{SCMP_SYS (ioctl), &SCMP_A1 (SCMP_CMP_MASKED_EQ, 0xFFFFFFFFu, (int) TIOCSTI)},
Note:
I've also looked into the "groovy" flatpak (1.8.1-1) source-code. There the
code looks the same.
Afterwards, the seccomp filter looks like:
line CODE JT JF K
=================================
0000: 0x20 0x00 0x00 0x00000004 A = arch
0001: 0x15 0x00 0x1f 0x80000016 if (A != ARCH_S390X) goto 0033
0002: 0x20 0x00 0x00 0x00000000 A = sys_number
0003: 0x15 0x1c 0x00 0x00000015 if (A == mount) goto 0032
0004: 0x15 0x1b 0x00 0x00000033 if (A == acct) goto 0032
0005: 0x15 0x1a 0x00 0x00000056 if (A == uselib) goto 0032
0006: 0x15 0x19 0x00 0x00000067 if (A == syslog) goto 0032
0007: 0x15 0x18 0x00 0x00000083 if (A == quotactl) goto 0032
0008: 0x15 0x17 0x00 0x000000d9 if (A == pivot_root) goto 0032
0009: 0x15 0x16 0x00 0x0000010c if (A == mbind) goto 0032
0010: 0x15 0x15 0x00 0x0000010d if (A == get_mempolicy) goto 0032
0011: 0x15 0x14 0x00 0x0000010e if (A == set_mempolicy) goto 0032
0012: 0x15 0x13 0x00 0x00000116 if (A == add_key) goto 0032
0013: 0x15 0x12 0x00 0x00000117 if (A == request_key) goto 0032
0014: 0x15 0x11 0x00 0x00000118 if (A == keyctl) goto 0032
0015: 0x15 0x10 0x00 0x0000011f if (A == migrate_pages) goto 0032
0016: 0x15 0x0f 0x00 0x0000012f if (A == unshare) goto 0032
0017: 0x15 0x0e 0x00 0x00000136 if (A == move_pages) goto 0032
0018: 0x15 0x00 0x05 0x00000036 if (A != ioctl) goto 0024
0019: 0x20 0x00 0x00 0x00000018 A = cmd # ioctl(fd, cmd, arg)
0020: 0x54 0x00 0x00 0x00000000 A &= 0x0
0021: 0x15 0x00 0x09 0x00000000 if (A != 0) goto 0031
0022: 0x20 0x00 0x00 0x0000001c A = cmd >> 32 # ioctl(fd, cmd, arg)
0023: 0x15 0x08 0x07 0x00005412 if (A == 0x5412) goto 0032 else goto 0031
0024: 0x15 0x00 0x06 0x00000078 if (A != clone) goto 0031
0025: 0x20 0x00 0x00 0x00000018 A = newsp # clone(clone_flags, newsp,
parent_tidptr, child_tidptr, tls)
0026: 0x54 0x00 0x00 0x00000000 A &= 0x0
0027: 0x15 0x00 0x03 0x00000000 if (A != 0) goto 0031
0028: 0x20 0x00 0x00 0x0000001c A = newsp >> 32 # clone(clone_flags, newsp,
parent_tidptr, child_tidptr, tls)
=> Now argument 1 (on s390x: flags; on x86_64: stack-pointer) is checked and
clone works as expected.
0029: 0x54 0x00 0x00 0x10000000 A &= 0x10000000
0030: 0x15 0x01 0x00 0x10000000 if (A == 268435456) goto 0032
0031: 0x06 0x00 0x00 0x7fff0000 return ALLOW
0032: 0x06 0x00 0x00 0x00050001 return ERRNO(1)
0033: 0x06 0x00 0x00 0x00000000 return KILL
Then I've rebuild flatpak-builder 1.0.11 and the testsuite runs fine:
============================================================================
Testsuite summary for flatpak-builder 1.0.11
============================================================================
# TOTAL: 19
# PASS: 19
# SKIP: 0
# XFAIL: 0
# FAIL: 0
# XPASS: 0
# ERROR: 0
============================================================================
Please report these insights to the flatpak project. The real fix needs
to use SCMP_A1 at least for SCMP_ARCH_S390X and SCMP_ARCH_S390. Perhaps
there is a further architecture with a different order?
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5226
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to make-dfsg in Ubuntu.
https://bugs.launchpad.net/bugs/1886814
Title:
posix_spawn usage in gnu make causes failures on s390x
Status in Ubuntu on IBM z Systems:
Triaged
Status in glibc package in Ubuntu:
New
Status in linux package in Ubuntu:
Incomplete
Status in make-dfsg package in Ubuntu:
New
Bug description:
posix_spawn usage in gnu make causes failures on s390x
Recently in gnu-make v4.3 https://paste.ubuntu.com/p/tYhbJFKN76/ it
started to use posix_spawn, instead of fork()/exec().
This has caused failure of an unrelated package flatpak-builder
autopkgtests on s390x only, like so
echo Building
make: echo: Operation not permitted
make: *** [Makefile:2: all] Error 127
Julian Klaude investigated this in-depth. His earlier research also
indicated that this is a heisenbug, if one tries to print to stderr
before printing to stdout, no issue occurs.
We are configuring GNU make to be build with --disable-posix-spawn on
s390x only. We passed these details to Debian https://bugs.debian.org
/cgi-bin/bugreport.cgi?bug=964541 too.
But I do wonder, if there is something different or incorrect about
posix_spawn() implementation in either glibc, or linux kernel, on
s390x. Or gnu-make's usage of posix_spawn().
As otherise, using posix_spawn() in gnu-make works on other
architectures, and flatpak-builder autopkgtests pass too.
It seems very weird that stdout does not appear to be functional,
unless stderr was opened/written to, from gnu-make execution compiled
with posix-spawn feature.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/1886814/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
