Bug 1192594 - seccomp-bpf on s390x gets wrong syscall number
Summary: seccomp-bpf on s390x gets wrong syscall number
Status: VERIFIED FIXED
Alias: None
Product: PUBLIC SUSE Linux Enterprise Server 15 SP3
Classification: SUSE Linux Enterprise Server
Component: Kernel (show other bugs)
Version: unspecified
Hardware: S/390-64 Other
: P2 - High : Normal
Target Milestone: unspecified
Assignee: Petr Tesařík
QA Contact: E-mail List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks: 1192051
  Show dependency treegraph
 
Reported: 2021-11-11 15:01 UTC by Fabian Vogt
Modified: 2023-07-30 22:38 UTC (History)
10 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Fabian Vogt 2021-11-11 15:01:21 UTC 
+++ This bug was initially created as a clone of Bug #1192051 +++

runc uses seccomp-bpf to allow only certain syscalls to be called.
Ones not in the list of allowed syscalls return with -EPERM, but
for forwards compatibility, syscalls which are newer than the seccomp
bpf program return -ENOSYS instead. This is broken on s390x however,
because high syscall numbers (probably those unknown to the kernel)
are reported as "0" to the seccomp bpf program.

This is probably fixed in mainline as the syscall entry for s390x got
rewritten.

Investigation from comment 5 on the original report:

However, I noticed that strace shows the "faccessat2" syscall as

[pid 52384] setup(0xffffffffffffff9c, 0x2aa0e5d26c0, 0x1, 0x200, 0, 0x2aa0d90ef70) = -1 EPERM

setup (== 0) is used for multiplexing syscalls, needed for numbers > 255.
Maybe in the kernel this not demultiplexed for unknown syscalls? It might work on newer kernel versions.

To confirm that it's a multiplexing issue, I wrote a test program:

#include <seccomp.h>
#include <fcntl.h>
#include <unistd.h>

int main()
{
        scmp_filter_ctx ctx = seccomp_init(SCMP_ACT_TRAP);
        seccomp_load(ctx);

        return syscall(439, AT_FDCWD, "asdf", X_OK, 0);
}

Build and run like this:
gcc seccomptest.c -I /usr/include/libseccomp/ -lseccomp -o seccomp
strace ./seccomp

And the result shows indeed that the syscall is not set correctly in si_syscall, which is FWICT also passed to the seccomp filter.

seccomp(SECCOMP_SET_MODE_FILTER, 0, {len=4, filter=0x105a7b0}) = 0
setup(0xffffffffffffff9c, 0x1000858, 0x1, 0, 0x105a2a0, 0x3ffb3210684) = -1 ENETDOWN (Das Netzwerk ist nicht aktiv)
--- SIGSYS {si_signo=SIGSYS, si_code=SYS_SECCOMP, si_call_addr=0x3ffb3006c22, si_syscall=__NR_setup, si_arch=AUDIT_ARCH_S390X} ---

faccessat2 is allowed after adding a rule for the multiplex syscall itself:
seccomp_rule_add(ctx, SCMP_ACT_ALLOW, 0, 0);

This explains also why TW userspace did not work.
Comment 1 Vincent Moutoussamy 2022-01-31 10:46:39 UTC 
Setting as P3, because this one is related to https://bugzilla.suse.com/show_bug.cgi?id=1192051#c7
Comment 2 Fabian Vogt 2022-02-25 10:33:41 UTC 
Ping.
Comment 3 Vincent Moutoussamy 2022-03-07 09:23:04 UTC 
@Libor could you please help us get some feedback from the kernel team about this issue? It's been 5months without any updates :/
Comment 6 LTC BugProxy 2022-04-05 06:42:18 UTC 
------- Comment From vasily.gorbik@de.ibm.com 2022-04-04 14:10 EDT-------
SLES 15 SP3 is based on v5.3.18,

I think this upstream commit from v5.8 should help and be backported:

commit 00332c16b1604242a56289ff2b26e283dbad0812
Author:     Sven Schnelle <svens@linux.ibm.com>
AuthorDate: Fri Mar 6 13:19:34 2020 +0100

s390/ptrace: pass invalid syscall numbers to tracing

tracing expects to see invalid syscalls, so pass it through.
The syscall path in entry.S checks the syscall number before
looking up the handler, so it is still safe.
Comment 7 Petr Tesařík 2022-09-05 09:16:15 UTC 
(In reply to LTC BugProxy from comment #6)
> ------- Comment From vasily.gorbik@de.ibm.com 2022-04-04 14:10 EDT-------
> commit 00332c16b1604242a56289ff2b26e283dbad0812
> Author:     Sven Schnelle <svens@linux.ibm.com>
> AuthorDate: Fri Mar 6 13:19:34 2020 +0100
> 
> s390/ptrace: pass invalid syscall numbers to tracing
> 
> tracing expects to see invalid syscalls, so pass it through.
> The syscall path in entry.S checks the syscall number before
> looking up the handler, so it is still safe.

This commit has been merged into SLE15-SP3 since mid-August and should appear in the next update. I'm closing this bug on SUSE side.

Note that I have removed the dependency on the podman bug, because I believe it should be other way round.
Comment 10 Swamp Workflow Management 2022-09-14 10:27:53 UTC 
SUSE-SU-2022:3264-1: An update that solves 15 vulnerabilities, contains one feature and has 61 fixes is now available.

Category: security (important)
Bug References: 1023051,1065729,1156395,1179722,1179723,1181862,1191662,1191667,1191881,1192594,1192968,1194272,1194535,1197158,1197755,1197756,1197757,1197760,1197763,1197920,1198971,1199291,1200431,1200845,1200868,1200869,1200870,1200871,1200872,1200873,1201019,1201420,1201610,1201705,1201726,1201948,1202096,1202097,1202346,1202347,1202393,1202396,1202447,1202564,1202577,1202636,1202672,1202701,1202708,1202709,1202710,1202711,1202712,1202713,1202714,1202715,1202716,1202717,1202718,1202720,1202722,1202745,1202756,1202810,1202811,1202860,1202895,1202898,1203063,1203098,1203107,1203116,1203117,1203135,1203136,1203137
CVE References: CVE-2016-3695,CVE-2020-27784,CVE-2021-4155,CVE-2021-4203,CVE-2022-20368,CVE-2022-20369,CVE-2022-2588,CVE-2022-26373,CVE-2022-2663,CVE-2022-2905,CVE-2022-2977,CVE-2022-3028,CVE-2022-36879,CVE-2022-39188,CVE-2022-39190
JIRA References: SLE-24635
Sources used:
openSUSE Leap Micro 5.2 (src):    kernel-default-5.3.18-150300.59.93.1, kernel-default-base-5.3.18-150300.59.93.1.150300.18.54.1
openSUSE Leap 15.4 (src):    dtb-aarch64-5.3.18-150300.59.93.1
openSUSE Leap 15.3 (src):    dtb-aarch64-5.3.18-150300.59.93.1, kernel-64kb-5.3.18-150300.59.93.1, kernel-debug-5.3.18-150300.59.93.1, kernel-default-5.3.18-150300.59.93.1, kernel-default-base-5.3.18-150300.59.93.1.150300.18.54.1, kernel-docs-5.3.18-150300.59.93.1, kernel-kvmsmall-5.3.18-150300.59.93.1, kernel-obs-build-5.3.18-150300.59.93.1, kernel-obs-qa-5.3.18-150300.59.93.1, kernel-preempt-5.3.18-150300.59.93.1, kernel-source-5.3.18-150300.59.93.1, kernel-syms-5.3.18-150300.59.93.1, kernel-zfcpdump-5.3.18-150300.59.93.1
SUSE Linux Enterprise Workstation Extension 15-SP3 (src):    kernel-default-5.3.18-150300.59.93.1, kernel-preempt-5.3.18-150300.59.93.1
SUSE Linux Enterprise Module for Live Patching 15-SP3 (src):    kernel-default-5.3.18-150300.59.93.1, kernel-livepatch-SLE15-SP3_Update_24-1-150300.7.3.1
SUSE Linux Enterprise Module for Legacy Software 15-SP3 (src):    kernel-default-5.3.18-150300.59.93.1
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    kernel-docs-5.3.18-150300.59.93.1, kernel-obs-build-5.3.18-150300.59.93.1, kernel-preempt-5.3.18-150300.59.93.1, kernel-source-5.3.18-150300.59.93.1, kernel-syms-5.3.18-150300.59.93.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    kernel-64kb-5.3.18-150300.59.93.1, kernel-default-5.3.18-150300.59.93.1, kernel-default-base-5.3.18-150300.59.93.1.150300.18.54.1, kernel-preempt-5.3.18-150300.59.93.1, kernel-source-5.3.18-150300.59.93.1, kernel-zfcpdump-5.3.18-150300.59.93.1
SUSE Linux Enterprise Micro 5.2 (src):    kernel-default-5.3.18-150300.59.93.1, kernel-default-base-5.3.18-150300.59.93.1.150300.18.54.1
SUSE Linux Enterprise Micro 5.1 (src):    kernel-default-5.3.18-150300.59.93.1, kernel-default-base-5.3.18-150300.59.93.1.150300.18.54.1
SUSE Linux Enterprise High Availability 15-SP3 (src):    kernel-default-5.3.18-150300.59.93.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Swamp Workflow Management 2022-10-18 13:23:02 UTC 
SUSE-SU-2022:3609-1: An update that solves 26 vulnerabilities, contains two features and has 89 fixes is now available.

Category: security (important)
Bug References: 1023051,1065729,1156395,1177471,1179722,1179723,1181862,1185032,1191662,1191667,1191881,1192594,1194023,1194272,1194535,1196444,1196616,1196867,1197158,1197659,1197755,1197756,1197757,1197760,1197763,1197920,1198971,1199255,1199291,1200084,1200313,1200431,1200622,1200845,1200868,1200869,1200870,1200871,1200872,1200873,1201019,1201309,1201310,1201420,1201442,1201489,1201610,1201645,1201705,1201726,1201865,1201948,1201990,1202095,1202096,1202097,1202154,1202341,1202346,1202347,1202385,1202393,1202396,1202447,1202577,1202636,1202672,1202677,1202701,1202708,1202709,1202710,1202711,1202712,1202713,1202714,1202715,1202716,1202717,1202718,1202720,1202722,1202745,1202756,1202810,1202811,1202860,1202895,1202898,1202960,1202984,1203063,1203098,1203107,1203116,1203117,1203135,1203136,1203137,1203159,1203313,1203389,1203410,1203424,1203552,1203622,1203737,1203769,1203906,1203909,1203933,1203935,1203939,1203987,1203992
CVE References: CVE-2016-3695,CVE-2020-16119,CVE-2020-27784,CVE-2020-36516,CVE-2021-4155,CVE-2021-4203,CVE-2022-20368,CVE-2022-20369,CVE-2022-2503,CVE-2022-2586,CVE-2022-2588,CVE-2022-26373,CVE-2022-2639,CVE-2022-2663,CVE-2022-2905,CVE-2022-2977,CVE-2022-3028,CVE-2022-3239,CVE-2022-3303,CVE-2022-36879,CVE-2022-39188,CVE-2022-39190,CVE-2022-41218,CVE-2022-41222,CVE-2022-41848,CVE-2022-41849
JIRA References: PED-529,SLE-24635
Sources used:
openSUSE Leap 15.3 (src):    kernel-azure-5.3.18-150300.38.80.1, kernel-source-azure-5.3.18-150300.38.80.1, kernel-syms-azure-5.3.18-150300.38.80.1
SUSE Linux Enterprise Module for Public Cloud 15-SP3 (src):    kernel-azure-5.3.18-150300.38.80.1, kernel-source-azure-5.3.18-150300.38.80.1, kernel-syms-azure-5.3.18-150300.38.80.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Swamp Workflow Management 2022-10-31 14:26:50 UTC 
SUSE-SU-2022:3809-1: An update that solves 32 vulnerabilities, contains two features and has 84 fixes is now available.

Category: security (important)
Bug References: 1023051,1065729,1152489,1156395,1177471,1179722,1179723,1181862,1185032,1191662,1191667,1191881,1192594,1194023,1194272,1194535,1196444,1197158,1197659,1197755,1197756,1197757,1197760,1197763,1197920,1198971,1199291,1200288,1200313,1200431,1200622,1200845,1200868,1200869,1200870,1200871,1200872,1200873,1201019,1201309,1201310,1201420,1201489,1201610,1201705,1201726,1201865,1201948,1201990,1202095,1202096,1202097,1202341,1202346,1202347,1202385,1202393,1202396,1202447,1202577,1202636,1202638,1202672,1202677,1202701,1202708,1202709,1202710,1202711,1202712,1202713,1202714,1202715,1202716,1202717,1202718,1202720,1202722,1202745,1202756,1202810,1202811,1202860,1202895,1202898,1202960,1202984,1203063,1203098,1203107,1203117,1203135,1203136,1203137,1203159,1203290,1203389,1203410,1203424,1203514,1203552,1203622,1203737,1203769,1203770,1203802,1203906,1203909,1203935,1203939,1203987,1203992,1204051,1204059,1204060,1204125
CVE References: CVE-2016-3695,CVE-2020-16119,CVE-2020-27784,CVE-2021-4155,CVE-2021-4203,CVE-2022-20368,CVE-2022-20369,CVE-2022-2503,CVE-2022-2586,CVE-2022-2588,CVE-2022-26373,CVE-2022-2663,CVE-2022-2905,CVE-2022-2977,CVE-2022-3028,CVE-2022-3169,CVE-2022-32296,CVE-2022-3239,CVE-2022-3303,CVE-2022-36879,CVE-2022-39188,CVE-2022-39190,CVE-2022-40768,CVE-2022-41218,CVE-2022-41222,CVE-2022-41674,CVE-2022-41848,CVE-2022-41849,CVE-2022-42719,CVE-2022-42720,CVE-2022-42721,CVE-2022-42722
JIRA References: PED-529,SLE-24635
Sources used:
openSUSE Leap Micro 5.2 (src):    kernel-rt-5.3.18-150300.106.1
SUSE Linux Enterprise Module for Realtime 15-SP3 (src):    kernel-rt-5.3.18-150300.106.1, kernel-rt_debug-5.3.18-150300.106.1, kernel-source-rt-5.3.18-150300.106.1, kernel-syms-rt-5.3.18-150300.106.1
SUSE Linux Enterprise Micro 5.2 (src):    kernel-rt-5.3.18-150300.106.1
SUSE Linux Enterprise Micro 5.1 (src):    kernel-rt-5.3.18-150300.106.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 18 Ihno Krumreich 2023-07-30 22:38:37 UTC 
Verified.