QEMU

Passes through prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, address)

Bug #1726394 reported by Julian Andres Klode
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
QEMU
Fix Released
Undecided
Unassigned
qemu (Debian)
Fix Released
Unknown
qemu (Ubuntu)
Fix Released
Medium
Unassigned
Xenial
Won't Fix
Undecided
Unassigned
Zesty
Won't Fix
Undecided
Unassigned
Artful
Won't Fix
Undecided
Unassigned

Bug Description

qemu-user passes through prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, address) unmodified, but the third argument is an address to a BPF filter, causing an EFAULT. Now, the filter is architecture-specifc, so you can't just rewrite the addresses, so the safest bet is to just return an error here.

I guess you should just return EINVAL, but not sure. I'd really like something that can be identified, so seccomp errors can be ignored when it's not supported.

Tags: linux-user
Revision history for this message
Julian Andres Klode (juliank) wrote :

Returning EINVAL would make sense, as that's what a pre-seccomp kernel or a kernel built without seccomp support would do.

Revision history for this message
Julian Andres Klode (juliank) wrote :

I worked around this in APT for now by ignoring EFAULT or rather, printing a warning. It would be nice to not do this though.

Changed in qemu (Ubuntu):
importance: Undecided → Medium
status: New → Triaged
Julian Andres Klode (juliank)
Changed in qemu (Ubuntu):
status: Triaged → Fix Committed
Bug Watch Updater (bug-watch-updater)
Changed in qemu (Debian):
status: Unknown → Confirmed
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

FYI - this is from http://lists.nongnu.org/archive/html/qemu-devel/2017-11/msg00417.html

Upstream response looks good, but not committed there yet.

@Julian - given the case will you need this as an SRU as well or is it only tied to newer apt (or newer apt use cases)?

Test queues in Bionic are still stalling this, there was an error on an iso test on s390x which seemed unrelated to the update - I retriggered for now as I'd assume it needs a newer fixed daily iso.

Revision history for this message
Peter Maydell (pmaydell) wrote :

v2 of the patch (https://lists.gnu.org/archive/html/qemu-devel/2017-11/msg01199.html) has been accepted upstream, though it isn't in master yet.

tags: added: linux-user
Changed in qemu:
status: New → In Progress
Revision history for this message
Julian Andres Klode (juliank) wrote :

@pmaydell It's actually https://lists.gnu.org/archive/html/qemu-devel/2017-11/msg00828.html :)

@paelzer It mostly depends how people run a apt 1.6 foreign architecture chroot with the same pointer size as the host architecture - if they install qemu-user inside the chroot, they're fine, if they copy an old version from the outside, they're not. If the copying is common, we might want to SRU that back to xenial and newer I guess.

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

This was blocked migrating on a autopkgtest for a known issue now resolved.
TL;DR no bionic images. Resolved now, should migrate soon.

While the final fix now accepted in linux-user is slightly different, the difference is only a comment. It is therefore fine if we pick this up on next merge for Bionic.

Once complete I can plan SRU uploads for this.

Changed in qemu (Ubuntu Xenial):
status: New → Triaged
Changed in qemu (Ubuntu Zesty):
status: New → Triaged
Changed in qemu (Ubuntu Artful):
status: New → Triaged
Revision history for this message
Julian Andres Klode (juliank) wrote :

I think we can skip SRUing this, apt now has a new workaround based on execve()ing with QEMU_VERSION=meow, which calls qemu-user to exit with 0. It executes a program guaranteed to exit with 1, and just disables seccomp if that exits with 0.

https://anonscm.debian.org/cgit/apt/apt.git/commit/?id=243acdee176dd90cb2838690cb5abbd64d4da905

It's hacky, but it works :)

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Ok, thanks for the info Julian!

Changed in qemu (Ubuntu Xenial):
status: Triaged → Won't Fix
Changed in qemu (Ubuntu Zesty):
status: Triaged → Won't Fix
Changed in qemu (Ubuntu Artful):
status: Triaged → Won't Fix
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package qemu - 1:2.10+dfsg-0ubuntu4

---------------
qemu (1:2.10+dfsg-0ubuntu4) bionic; urgency=medium

  * Apply linux-user-return-EINVAL-from-prctl-PR_-_SECCOMP.patch from
    James Cowgill to prevent qemu-user from forwarding prctl seccomp
    calls (LP: #1726394)

 -- Julian Andres Klode <email address hidden> Sat, 04 Nov 2017 00:21:14 +0100

Changed in qemu (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

See it passed [1] but britney not picking up.
Giving it some time to do so.

[1]: https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac/autopkgtest-bionic/bionic/amd64/o/open-iscsi/20171114_135029_17bf1@/log.gz

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

LP, this was unfair to reverse-pass me :-)
Anyway - done - thanks Julian and James C. for your work on that.

Revision history for this message
Thomas Huth (th-huth) wrote :

Fix has been released with QEMU 2.11:
https://git.qemu.org/?p=qemu.git;a=commitdiff;h=a8b154a637b586441b

Changed in qemu:
status: In Progress → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in qemu (Debian):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.