Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1197051 - [aarch64] sshd dies with SIGSYS
Summary: [aarch64] sshd dies with SIGSYS
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: openssh
Version: rawhide
Hardware: aarch64
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Petr Lautrbach
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 1406665 1406666
TreeView+ depends on / blocked
 
Reported: 2015-02-27 11:51 UTC by Richard W.M. Jones
Modified: 2016-12-21 07:46 UTC (History)
7 users (show)

Fixed In Version: openssh-6.7p1-9.fc22
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1406665 1406666 (view as bug list)
Environment:
Last Closed: 2015-03-09 08:30:29 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)
grep -i seccomp /var/log/audit/audit.log (5.31 KB, text/plain)
2015-02-27 12:51 UTC, Richard W.M. Jones
no flags Details

Description Richard W.M. Jones 2015-02-27 11:51:06 UTC
Description of problem:

With the latest sshd in Rawhide, you can no longer log in
over ssh.

The client side dies with:

$ ssh -v mustang
OpenSSH_6.6.1, OpenSSL 1.0.1k-fips 8 Jan 2015
[...]
debug1: match: OpenSSH_6.7 pat OpenSSH* compat 0x04000000
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-sha1-etm none
debug1: kex: client->server aes128-ctr hmac-sha1-etm none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
Write failed: Connection reset by peer

I straced the server, and the sshd subprocess dies with SIGSYS:

[...]
1651  chroot("/var/empty/sshd")         = 0
1651  chdir("/")                        = 0
1651  setgroups(1, [74])                = 0
1651  getuid()                          = 0
1651  getgid()                          = 0
1651  setresgid(74, 74, 74)             = 0
1651  setresuid(74, 74, 74)             = 0
1651  setgid(0)                         = -1 EPERM (Operation not permitted)
1651  setresgid(-1, 0, -1)              = -1 EPERM (Operation not permitted)
1651  getgid()                          = 74
1651  getegid()                         = 74
1651  setuid(0)                         = -1 EPERM (Operation not permitted)
1651  setresuid(-1, 0, -1)              = -1 EPERM (Operation not permitted)
1651  getuid()                          = 74
1651  geteuid()                         = 74
1651  setrlimit(RLIMIT_FSIZE, {rlim_cur=0, rlim_max=0}) = 0
1651  setrlimit(RLIMIT_NOFILE, {rlim_cur=0, rlim_max=0}) = 0
1651  setrlimit(RLIMIT_NPROC, {rlim_cur=0, rlim_max=0}) = 0
1651  prctl(PR_SET_NO_NEW_PRIVS, 0x1, 0, 0, 0) = 0
1651  prctl(PR_SET_SECCOMP, 0x2, 0x3ffa849d6b8, 0, 0) = 0
1651  write(3, "\0\0\3\254\4\24\374\237\241\311s\317\177\320\376V\324J\r\350\301
\243\0\0\0\226curve25519-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384
,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-
sha1\0\0\0'ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519\0\0\0laes128-ctr,aes192-ctr,a
es256-ctr,aes128-gcm,aes256-gcm,chacha20-poly1305@openss
h.com\0\0\0laes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm,aes256-gcm@o
penssh.com,chacha20-poly1305\0\0\0\325umac-64-etm,umac-1
28-etm,hmac-sha2-256-etm,hmac-sha2-512-etm,h
mac-sha1-etm,umac-64,umac-128,hmac-sha2-256,
hmac-sha2-512,hmac-sha1\0\0\0\325umac-64-etm,umac-128-etm
m,hmac-sha2-256-etm,hmac-sha2-512-etm,hmac-sha1-etm@open
ssh.com,umac-64,umac-128,hmac-sha2-256,hmac-sha2-512,hma
c-sha1\0\0\0\25none,zlib\0\0\0\25none,zlib\0\0\0\0\0\0\0
\0\0\0\0\0\0\0\0\0\0", 944) = 944
1650  <... ppoll resumed> )             = 1 ([{fd=6, revents=POLLIN|POLLHUP}])
1651  +++ killed by SIGSYS +++
1650  read(6, "", 4)                    = 0
1650  --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_KILLED, si_pid=1651, si_uid=74, si_status=SIGSYS, si_utime=0, si_stime=0} ---

I have no idea what SIGSYS means.

Version-Release number of selected component (if applicable):

Fails with: openssh-server-6.7p1-8.fc23.aarch64
Works with: openssh-server-6.7p1-7.fc23.aarch64

How reproducible:

100%

Steps to Reproduce:
1. Install openssh-server -8 package.
2. Try to ssh to the machine from another.

Comment 1 Richard W.M. Jones 2015-02-27 12:03:44 UTC
Apparently SIGSYS is caused by seccomp.  Maybe something
to do with enabling seccomp recently on aarch64.  Peter?

Comment 2 Peter Robinson 2015-02-27 12:25:44 UTC
(In reply to Richard W.M. Jones from comment #1)
> Apparently SIGSYS is caused by seccomp.  Maybe something
> to do with enabling seccomp recently on aarch64.  Peter?

Possibly, Marcin actually wrote that code [rhbz 1195065] so he's likely the best to comment (it doesn't use libseccomp but the kernel API/feature directly)

Comment 3 Jakub Jelen 2015-02-27 12:41:14 UTC
SIGSYS signal is violation of seccomp filter which was enabled during -8 release for aarch64.
Can you have a look also into audit log for message SECCOMP? There should be mentioned at least syscall number which could help us.

This is related to open bug #1195065. This patch was introduced by Marcin, I tested seccomp filter on aarch64 and it worked for me somehow but there will be still some glitches probably. I will have a look.

As a workaround you can turn of sandboxing using option "UsePrivilegeSeparation yes".

Comment 4 Marcin Juszkiewicz 2015-02-27 12:49:13 UTC
type=SECCOMP msg=audit(1425041219.124:279): auid=4294967295 uid=74 gid=74 ses=4294967295 subj=system_u:system_r:sshd_net_t:s0-s0:c0.c1023 pid=819 comm="sshd" exe="/usr/sbin/sshd" sig=31 arch=c00000b7 syscall=72 compat=0 ip=0x3ffa7fbc268 code=0x0

Which is pselect6() syscall.

Comment 5 Richard W.M. Jones 2015-02-27 12:51:29 UTC
Created attachment 996013 [details]
grep -i seccomp /var/log/audit/audit.log

See attachment for SECCOMP logs.

Comment 6 Fedora Update System 2015-02-27 18:13:58 UTC
openssh-6.7p1-9.fc22 has been submitted as an update for Fedora 22.
https://admin.fedoraproject.org/updates/openssh-6.7p1-9.fc22

Comment 7 Fedora Update System 2015-02-27 19:44:01 UTC
Package openssh-6.7p1-9.fc22:
* should fix your issue,
* was pushed to the Fedora 22 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing openssh-6.7p1-9.fc22'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-2786/openssh-6.7p1-9.fc22
then log in and leave karma (feedback).

Comment 8 Fedora Update System 2015-03-09 08:30:29 UTC
openssh-6.7p1-9.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.