s390x broken with unknown syscall number on kernels < 5.8
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu on IBM z Systems |
Fix Released
|
Undecided
|
Unassigned | ||
linux (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Bionic |
Fix Released
|
Medium
|
Unassigned | ||
Focal |
Fix Released
|
Medium
|
Dan Streetman |
Bug Description
SRU Justification
Note: I marked this as affecting bionic as well, as discovered in bug 1916485.
Impact: On kernels prior to 5.8 when a task is in traced state (due to audit, ptrace, or seccomp) s390x and a syscall is issued that the kernel doesn't know about s390x will not return ENOSYS in r2 but instead will return the syscall number. This breaks userspace all over the place. The following program compiled on s390x will output 500 instead of -ENOSYS:
root@test:~# cat test.c
#define _GNU_SOURCE
#include <libgen.h>
#include <errno.h>
#include <fcntl.h>
#include <limits.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <unistd.h>
static inline int dummy_inline_
{
register long r1 asm("r1") = 500;
register long r2 asm("r2") = -1;
register long r3 asm("r3") = -1;
register long r4 asm("r4") = -1;
register long r5 asm("r5") = -1;
register long __res_r2 asm("r2");
asm volatile(
"svc 0\n\t"
: "=d"(__res_r2)
: "d"(r1), "0"(r2), "d"(r3), "d"(r4), "d"(r5)
: "memory");
return (int) __res_r2;
}
static inline int dummy_syscall(void)
{
return syscall(500, -1, -1, -1, -1);
}
int main(int argc, char *argv[])
{
}
This breaks LXD on s390x currently completely as well as strace.
Fix: Backport
commit cd29fa798001075
Author: Sven Schnelle <email address hidden>
Date: Fri Mar 6 13:18:31 2020 +0100
s390/ptrace: return -ENOSYS when invalid syscall is supplied
The current code returns the syscall number which an invalid
syscall number is supplied and tracing is enabled. This makes
the strace testsuite fail.
Signed-off-by: Sven Schnelle <email address hidden>
Signed-off-by: Vasily Gorbik <email address hidden>
which got released with 5.8. The commit missed to Cc stable and although I've asked Sven to include it in stable I'm not sure when or if it will show up there.
Regression Potential: Limited to s390x.
Test Case: The reproducer given above needs to output -ENOSYS instead of 500.
CVE References
Changed in linux (Ubuntu Focal): | |
assignee: | nobody → Dan Streetman (ddstreet) |
importance: | Undecided → Medium |
status: | New → In Progress |
Changed in linux (Ubuntu): | |
status: | Confirmed → Invalid |
Changed in linux (Ubuntu Focal): | |
status: | In Progress → Fix Committed |
Changed in ubuntu-z-systems: | |
status: | New → Fix Committed |
tags: | added: s390x |
Changed in ubuntu-z-systems: | |
status: | Fix Committed → Fix Released |
description: | updated |
Changed in linux (Ubuntu Bionic): | |
status: | New → In Progress |
importance: | Undecided → Medium |
Changed in linux (Ubuntu Bionic): | |
status: | In Progress → Fix Committed |
Changed in linux (Ubuntu): | |
status: | Invalid → Fix Released |
This needs to be backported to our 5.4 kernels.