Ubuntu on IBM z Systems

Bug #1886814
Comment #8

Comment 8 for bug 1886814

Revision history for this message

bugproxy (bugproxy) wrote on 2020-07-24: Comment bridged from LTC Bugzilla

------- Comment From <email address hidden> 2020-07-24 10:47 EDT-------
I've found the relevant code. It's the flatpak package. For a test on my s390x machine, I've just changed the check from arg 0 to arg 1:
diff -uNr ./flatpak-1.6.3/common/flatpak-run.orig.c ./flatpak-1.6.3/common/flatpak-run.c
--- ./flatpak-1.6.3/common/flatpak-run.orig.c 2020-07-24 15:57:17.583312438 +0200
+++ ./flatpak-1.6.3/common/flatpak-run.c 2020-07-24 16:23:35.880965987 +0200
@@ -2632,7 +2632,7 @@
{SCMP_SYS (unshare)},
{SCMP_SYS (mount)},
{SCMP_SYS (pivot_root)},
- {SCMP_SYS (clone), &SCMP_A0 (SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER)},
+ {SCMP_SYS (clone), &SCMP_A1 (SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER)},

/* Don't allow faking input to the controlling tty (CVE-2017-5226) */
{SCMP_SYS (ioctl), &SCMP_A1 (SCMP_CMP_MASKED_EQ, 0xFFFFFFFFu, (int) TIOCSTI)},

Note:
I've also looked into the "groovy" flatpak (1.8.1-1) source-code. There the code looks the same.

Afterwards, the seccomp filter looks like:
line CODE JT JF K
=================================
0000: 0x20 0x00 0x00 0x00000004 A = arch
0001: 0x15 0x00 0x1f 0x80000016 if (A != ARCH_S390X) goto 0033
0002: 0x20 0x00 0x00 0x00000000 A = sys_number
0003: 0x15 0x1c 0x00 0x00000015 if (A == mount) goto 0032
0004: 0x15 0x1b 0x00 0x00000033 if (A == acct) goto 0032
0005: 0x15 0x1a 0x00 0x00000056 if (A == uselib) goto 0032
0006: 0x15 0x19 0x00 0x00000067 if (A == syslog) goto 0032
0007: 0x15 0x18 0x00 0x00000083 if (A == quotactl) goto 0032
0008: 0x15 0x17 0x00 0x000000d9 if (A == pivot_root) goto 0032
0009: 0x15 0x16 0x00 0x0000010c if (A == mbind) goto 0032
0010: 0x15 0x15 0x00 0x0000010d if (A == get_mempolicy) goto 0032
0011: 0x15 0x14 0x00 0x0000010e if (A == set_mempolicy) goto 0032
0012: 0x15 0x13 0x00 0x00000116 if (A == add_key) goto 0032
0013: 0x15 0x12 0x00 0x00000117 if (A == request_key) goto 0032
0014: 0x15 0x11 0x00 0x00000118 if (A == keyctl) goto 0032
0015: 0x15 0x10 0x00 0x0000011f if (A == migrate_pages) goto 0032
0016: 0x15 0x0f 0x00 0x0000012f if (A == unshare) goto 0032
0017: 0x15 0x0e 0x00 0x00000136 if (A == move_pages) goto 0032
0018: 0x15 0x00 0x05 0x00000036 if (A != ioctl) goto 0024
0019: 0x20 0x00 0x00 0x00000018 A = cmd # ioctl(fd, cmd, arg)
0020: 0x54 0x00 0x00 0x00000000 A &= 0x0
0021: 0x15 0x00 0x09 0x00000000 if (A != 0) goto 0031
0022: 0x20 0x00 0x00 0x0000001c A = cmd >> 32 # ioctl(fd, cmd, arg)
0023: 0x15 0x08 0x07 0x00005412 if (A == 0x5412) goto 0032 else goto 0031
0024: 0x15 0x00 0x06 0x00000078 if (A != clone) goto 0031
0025: 0x20 0x00 0x00 0x00000018 A = newsp # clone(clone_flags, newsp, parent_tidptr, child_tidptr, tls)
0026: 0x54 0x00 0x00 0x00000000 A &= 0x0
0027: 0x15 0x00 0x03 0x00000000 if (A != 0) goto 0031
0028: 0x20 0x00 0x00 0x0000001c A = newsp >> 32 # clone(clone_flags, newsp, parent_tidptr, child_tidptr, tls)
=> Now argument 1 (on s390x: flags; on x86_64: stack-pointer) is checked and clone works as expected.
0029: 0x54 0x00 0x00 0x10000000 A &= 0x10000000
0030: 0x15 0x01 0x00 0x10000000 if (A == 268435456) goto 0032
0031: 0x06 0x00 0x00 0x7fff0000 return ALLOW
0032: 0x06 0x00 0x00 0x00050001 return ERRNO(1)
0033: 0x06 0x00 0x00 0x00000000 return KILL

Then I've rebuild flatpak-builder 1.0.11 and the testsuite runs fine:
============================================================================
Testsuite summary for flatpak-builder 1.0.11
============================================================================
# TOTAL: 19
# PASS: 19
# SKIP: 0
# XFAIL: 0
# FAIL: 0
# XPASS: 0
# ERROR: 0
============================================================================

Please report these insights to the flatpak project. The real fix needs to use SCMP_A1 at least for SCMP_ARCH_S390X and SCMP_ARCH_S390. Perhaps there is a further architecture with a different order?

------- Comment From STLI@de.ibm.com 2020-07-24 10:47 EDT-------
I've found the relevant code. It's the flatpak package. For a test on my s390x machine, I've just changed the check from arg 0 to arg 1:
diff -uNr  ./flatpak-1.6.3/common/flatpak-run.orig.c ./flatpak-1.6.3/common/flatpak-run.c
--- ./flatpak-1.6.3/common/flatpak-run.orig.c	2020-07-24 15:57:17.583312438 +0200
+++ ./flatpak-1.6.3/common/flatpak-run.c	2020-07-24 16:23:35.880965987 +0200
@@ -2632,7 +2632,7 @@
{SCMP_SYS (unshare)},
{SCMP_SYS (mount)},
{SCMP_SYS (pivot_root)},
-    {SCMP_SYS (clone), &SCMP_A0 (SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER)},
+    {SCMP_SYS (clone), &SCMP_A1 (SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER)},

/* Don't allow faking input to the controlling tty (CVE-2017-5226) */
{SCMP_SYS (ioctl), &SCMP_A1 (SCMP_CMP_MASKED_EQ, 0xFFFFFFFFu, (int) TIOCSTI)},

Note:
I've also looked into the "groovy" flatpak (1.8.1-1) source-code. There the code looks the same.

Afterwards, the seccomp filter looks like:
line  CODE  JT   JF      K
=================================
0000: 0x20 0x00 0x00 0x00000004  A = arch
0001: 0x15 0x00 0x1f 0x80000016  if (A != ARCH_S390X) goto 0033
0002: 0x20 0x00 0x00 0x00000000  A = sys_number
0003: 0x15 0x1c 0x00 0x00000015  if (A == mount) goto 0032
0004: 0x15 0x1b 0x00 0x00000033  if (A == acct) goto 0032
0005: 0x15 0x1a 0x00 0x00000056  if (A == uselib) goto 0032
0006: 0x15 0x19 0x00 0x00000067  if (A == syslog) goto 0032
0007: 0x15 0x18 0x00 0x00000083  if (A == quotactl) goto 0032
0008: 0x15 0x17 0x00 0x000000d9  if (A == pivot_root) goto 0032
0009: 0x15 0x16 0x00 0x0000010c  if (A == mbind) goto 0032
0010: 0x15 0x15 0x00 0x0000010d  if (A == get_mempolicy) goto 0032
0011: 0x15 0x14 0x00 0x0000010e  if (A == set_mempolicy) goto 0032
0012: 0x15 0x13 0x00 0x00000116  if (A == add_key) goto 0032
0013: 0x15 0x12 0x00 0x00000117  if (A == request_key) goto 0032
0014: 0x15 0x11 0x00 0x00000118  if (A == keyctl) goto 0032
0015: 0x15 0x10 0x00 0x0000011f  if (A == migrate_pages) goto 0032
0016: 0x15 0x0f 0x00 0x0000012f  if (A == unshare) goto 0032
0017: 0x15 0x0e 0x00 0x00000136  if (A == move_pages) goto 0032
0018: 0x15 0x00 0x05 0x00000036  if (A != ioctl) goto 0024
0019: 0x20 0x00 0x00 0x00000018  A = cmd # ioctl(fd, cmd, arg)
0020: 0x54 0x00 0x00 0x00000000  A &= 0x0
0021: 0x15 0x00 0x09 0x00000000  if (A != 0) goto 0031
0022: 0x20 0x00 0x00 0x0000001c  A = cmd >> 32 # ioctl(fd, cmd, arg)
0023: 0x15 0x08 0x07 0x00005412  if (A == 0x5412) goto 0032 else goto 0031
0024: 0x15 0x00 0x06 0x00000078  if (A != clone) goto 0031
0025: 0x20 0x00 0x00 0x00000018  A = newsp # clone(clone_flags, newsp, parent_tidptr, child_tidptr, tls)
0026: 0x54 0x00 0x00 0x00000000  A &= 0x0
0027: 0x15 0x00 0x03 0x00000000  if (A != 0) goto 0031
0028: 0x20 0x00 0x00 0x0000001c  A = newsp >> 32 # clone(clone_flags, newsp, parent_tidptr, child_tidptr, tls)
=> Now argument 1 (on s390x: flags; on x86_64: stack-pointer) is checked and clone works as expected.
0029: 0x54 0x00 0x00 0x10000000  A &= 0x10000000
0030: 0x15 0x01 0x00 0x10000000  if (A == 268435456) goto 0032
0031: 0x06 0x00 0x00 0x7fff0000  return ALLOW
0032: 0x06 0x00 0x00 0x00050001  return ERRNO(1)
0033: 0x06 0x00 0x00 0x00000000  return KILL

Then I've rebuild flatpak-builder 1.0.11 and the testsuite runs fine:
============================================================================
Testsuite summary for flatpak-builder 1.0.11
============================================================================
# TOTAL: 19
# PASS:  19
# SKIP:  0
# XFAIL: 0
# FAIL:  0
# XPASS: 0
# ERROR: 0
============================================================================

Please report these insights to the flatpak project. The real fix needs to use SCMP_A1 at least for SCMP_ARCH_S390X and SCMP_ARCH_S390. Perhaps there is a further architecture with a different order?