Bug 1197051

Summary: [aarch64] sshd dies with SIGSYS
Product: [Fedora] Fedora Reporter: Richard W.M. Jones <rjones>
Component: opensshAssignee: Petr Lautrbach <plautrba>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: jjelen, mattias.ellert, mgrepl, mjuszkie, pbrobinson, plautrba, tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: aarch64   
OS: Unspecified   
Whiteboard:
Fixed In Version: openssh-6.7p1-9.fc22 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1406665 1406666 (view as bug list) Environment:
Last Closed: 2015-03-09 08:30:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1406665, 1406666    
Attachments:
Description Flags
grep -i seccomp /var/log/audit/audit.log none

Description Richard W.M. Jones 2015-02-27 11:51:06 UTC 
Description of problem:

With the latest sshd in Rawhide, you can no longer log in
over ssh.

The client side dies with:

$ ssh -v mustang
OpenSSH_6.6.1, OpenSSL 1.0.1k-fips 8 Jan 2015
[...]
debug1: match: OpenSSH_6.7 pat OpenSSH* compat 0x04000000
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-sha1-etm none
debug1: kex: client->server aes128-ctr hmac-sha1-etm none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
Write failed: Connection reset by peer

I straced the server, and the sshd subprocess dies with SIGSYS:

[...]
1651  chroot("/var/empty/sshd")         = 0
1651  chdir("/")                        = 0
1651  setgroups(1, [74])                = 0
1651  getuid()                          = 0
1651  getgid()                          = 0
1651  setresgid(74, 74, 74)             = 0
1651  setresuid(74, 74, 74)             = 0
1651  setgid(0)                         = -1 EPERM (Operation not permitted)
1651  setresgid(-1, 0, -1)              = -1 EPERM (Operation not permitted)
1651  getgid()                          = 74
1651  getegid()                         = 74
1651  setuid(0)                         = -1 EPERM (Operation not permitted)
1651  setresuid(-1, 0, -1)              = -1 EPERM (Operation not permitted)
1651  getuid()                          = 74
1651  geteuid()                         = 74
1651  setrlimit(RLIMIT_FSIZE, {rlim_cur=0, rlim_max=0}) = 0
1651  setrlimit(RLIMIT_NOFILE, {rlim_cur=0, rlim_max=0}) = 0
1651  setrlimit(RLIMIT_NPROC, {rlim_cur=0, rlim_max=0}) = 0
1651  prctl(PR_SET_NO_NEW_PRIVS, 0x1, 0, 0, 0) = 0
1651  prctl(PR_SET_SECCOMP, 0x2, 0x3ffa849d6b8, 0, 0) = 0
1651  write(3, "\0\0\3\254\4\24\374\237\241\311s\317\177\320\376V\324J\r\350\301
\243\0\0\0\226curve25519-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384
,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-
sha1\0\0\0'ssh-rsa,ecdsa-sha2-nistp256,ssh-ed25519\0\0\0laes128-ctr,aes192-ctr,a
es256-ctr,aes128-gcm,aes256-gcm,chacha20-poly1305@openss
h.com\0\0\0laes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm,aes256-gcm@o
penssh.com,chacha20-poly1305\0\0\0\325umac-64-etm,umac-1
28-etm,hmac-sha2-256-etm,hmac-sha2-512-etm,h
mac-sha1-etm,umac-64,umac-128,hmac-sha2-256,
hmac-sha2-512,hmac-sha1\0\0\0\325umac-64-etm,umac-128-etm
m,hmac-sha2-256-etm,hmac-sha2-512-etm,hmac-sha1-etm@open
ssh.com,umac-64,umac-128,hmac-sha2-256,hmac-sha2-512,hma
c-sha1\0\0\0\25none,zlib\0\0\0\25none,zlib\0\0\0\0\0\0\0
\0\0\0\0\0\0\0\0\0\0", 944) = 944
1650  <... ppoll resumed> )             = 1 ([{fd=6, revents=POLLIN|POLLHUP}])
1651  +++ killed by SIGSYS +++
1650  read(6, "", 4)                    = 0
1650  --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_KILLED, si_pid=1651, si_uid=74, si_status=SIGSYS, si_utime=0, si_stime=0} ---

I have no idea what SIGSYS means.

Version-Release number of selected component (if applicable):

Fails with: openssh-server-6.7p1-8.fc23.aarch64
Works with: openssh-server-6.7p1-7.fc23.aarch64

How reproducible:

100%

Steps to Reproduce:
1. Install openssh-server -8 package.
2. Try to ssh to the machine from another.
Comment 1 Richard W.M. Jones 2015-02-27 12:03:44 UTC 
Apparently SIGSYS is caused by seccomp.  Maybe something
to do with enabling seccomp recently on aarch64.  Peter?
Comment 2 Peter Robinson 2015-02-27 12:25:44 UTC 
(In reply to Richard W.M. Jones from comment #1)
> Apparently SIGSYS is caused by seccomp.  Maybe something
> to do with enabling seccomp recently on aarch64.  Peter?

Possibly, Marcin actually wrote that code [rhbz 1195065] so he's likely the best to comment (it doesn't use libseccomp but the kernel API/feature directly)
Comment 3 Jakub Jelen 2015-02-27 12:41:14 UTC 
SIGSYS signal is violation of seccomp filter which was enabled during -8 release for aarch64.
Can you have a look also into audit log for message SECCOMP? There should be mentioned at least syscall number which could help us.

This is related to open bug #1195065. This patch was introduced by Marcin, I tested seccomp filter on aarch64 and it worked for me somehow but there will be still some glitches probably. I will have a look.

As a workaround you can turn of sandboxing using option "UsePrivilegeSeparation yes".
Comment 4 Marcin Juszkiewicz 2015-02-27 12:49:13 UTC 
type=SECCOMP msg=audit(1425041219.124:279): auid=4294967295 uid=74 gid=74 ses=4294967295 subj=system_u:system_r:sshd_net_t:s0-s0:c0.c1023 pid=819 comm="sshd" exe="/usr/sbin/sshd" sig=31 arch=c00000b7 syscall=72 compat=0 ip=0x3ffa7fbc268 code=0x0

Which is pselect6() syscall.
Comment 5 Richard W.M. Jones 2015-02-27 12:51:29 UTC 
Created attachment 996013 [details]
grep -i seccomp /var/log/audit/audit.log

See attachment for SECCOMP logs.
Comment 6 Fedora Update System 2015-02-27 18:13:58 UTC 
openssh-6.7p1-9.fc22 has been submitted as an update for Fedora 22.
https://admin.fedoraproject.org/updates/openssh-6.7p1-9.fc22
Comment 7 Fedora Update System 2015-02-27 19:44:01 UTC 
Package openssh-6.7p1-9.fc22:
* should fix your issue,
* was pushed to the Fedora 22 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing openssh-6.7p1-9.fc22'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-2786/openssh-6.7p1-9.fc22
then log in and leave karma (feedback).
Comment 8 Fedora Update System 2015-03-09 08:30:29 UTC 
openssh-6.7p1-9.fc22 has been pushed to the Fedora 22 stable repository.  If problems still persist, please make note of it in this bug report.