diff options
| author | Colin Watson <cjwatson@debian.org> | 2017-01-03 14:03:28 +0000 |
|---|---|---|
| committer | Colin Watson <cjwatson@debian.org> | 2017-01-03 14:41:26 +0000 |
| commit | 851f4ab3eacf22d9a2d88426e43c8be48450e6f3 (patch) | |
| tree | 7f095be6176212bfa8fbbfb8150f772a199be96e | |
| parent | ba96642edeb90c3a6ded02d367741b26ccd21afc (diff) | |
| parent | e346421ca6852fbf9f95cf0e764ecc345e5ce21d (diff) | |
Work around clock_gettime kernel bug on Linux x32 (closes: #849923).
| -rw-r--r-- | debian/.git-dpm | 4 | ||||
| -rw-r--r-- | debian/changelog | 1 | ||||
| -rw-r--r-- | debian/patches/sandbox-x32-workaround.patch | 37 | ||||
| -rw-r--r-- | debian/patches/series | 1 | ||||
| -rw-r--r-- | sandbox-seccomp-filter.c | 9 |
5 files changed, 50 insertions, 2 deletions
diff --git a/debian/.git-dpm b/debian/.git-dpm index d413019d4..53fbcd41e 100644 --- a/debian/.git-dpm +++ b/debian/.git-dpm | |||
| @@ -1,6 +1,6 @@ | |||
| 1 | # see git-dpm(1) from git-dpm package | 1 | # see git-dpm(1) from git-dpm package |
| 2 | cc50ca70e3b438577c33a85147e2a68666deaad9 | 2 | e346421ca6852fbf9f95cf0e764ecc345e5ce21d |
| 3 | cc50ca70e3b438577c33a85147e2a68666deaad9 | 3 | e346421ca6852fbf9f95cf0e764ecc345e5ce21d |
| 4 | 971a7653746a6972b907dfe0ce139c06e4a6f482 | 4 | 971a7653746a6972b907dfe0ce139c06e4a6f482 |
| 5 | 971a7653746a6972b907dfe0ce139c06e4a6f482 | 5 | 971a7653746a6972b907dfe0ce139c06e4a6f482 |
| 6 | openssh_7.4p1.orig.tar.gz | 6 | openssh_7.4p1.orig.tar.gz |
diff --git a/debian/changelog b/debian/changelog index 872eeb404..45260a09f 100644 --- a/debian/changelog +++ b/debian/changelog | |||
| @@ -1,6 +1,7 @@ | |||
| 1 | openssh (1:7.4p1-5) UNRELEASED; urgency=medium | 1 | openssh (1:7.4p1-5) UNRELEASED; urgency=medium |
| 2 | 2 | ||
| 3 | * Create mux socket for regression tests in a temporary directory. | 3 | * Create mux socket for regression tests in a temporary directory. |
| 4 | * Work around clock_gettime kernel bug on Linux x32 (closes: #849923). | ||
| 4 | 5 | ||
| 5 | -- Colin Watson <cjwatson@debian.org> Tue, 03 Jan 2017 12:23:34 +0000 | 6 | -- Colin Watson <cjwatson@debian.org> Tue, 03 Jan 2017 12:23:34 +0000 |
| 6 | 7 | ||
diff --git a/debian/patches/sandbox-x32-workaround.patch b/debian/patches/sandbox-x32-workaround.patch new file mode 100644 index 000000000..9fabaecfa --- /dev/null +++ b/debian/patches/sandbox-x32-workaround.patch | |||
| @@ -0,0 +1,37 @@ | |||
| 1 | From e346421ca6852fbf9f95cf0e764ecc345e5ce21d Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Colin Watson <cjwatson@debian.org> | ||
| 3 | Date: Tue, 3 Jan 2017 14:01:56 +0000 | ||
| 4 | Subject: Work around clock_gettime kernel bug on Linux x32 | ||
| 5 | |||
| 6 | On Linux x32, the clock_gettime VDSO currently falls back to the x86-64 | ||
| 7 | syscall, so allow that as well as its x32 sibling. | ||
| 8 | |||
| 9 | Bug-Debian: https://bugs.debian.org/849923 | ||
| 10 | Forwarded: no | ||
| 11 | Last-Update: 2017-01-03 | ||
| 12 | |||
| 13 | Patch-Name: sandbox-x32-workaround.patch | ||
| 14 | --- | ||
| 15 | sandbox-seccomp-filter.c | 9 +++++++++ | ||
| 16 | 1 file changed, 9 insertions(+) | ||
| 17 | |||
| 18 | diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c | ||
| 19 | index 2e1ed2c5..62c578d3 100644 | ||
| 20 | --- a/sandbox-seccomp-filter.c | ||
| 21 | +++ b/sandbox-seccomp-filter.c | ||
| 22 | @@ -137,6 +137,15 @@ static const struct sock_filter preauth_insns[] = { | ||
| 23 | #endif | ||
| 24 | #ifdef __NR_clock_gettime | ||
| 25 | SC_ALLOW(clock_gettime), | ||
| 26 | +# if defined(__x86_64__) && defined(__ILP32__) | ||
| 27 | + /* On Linux x32, the clock_gettime VDSO currently falls back to the | ||
| 28 | + * x86-64 syscall (see https://bugs.debian.org/849923), so allow | ||
| 29 | + * that too. | ||
| 30 | + */ | ||
| 31 | + BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, | ||
| 32 | + __NR_clock_gettime & ~__X32_SYSCALL_BIT, 0, 1), | ||
| 33 | + BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW), | ||
| 34 | +# endif | ||
| 35 | #endif | ||
| 36 | #ifdef __NR_close | ||
| 37 | SC_ALLOW(close), | ||
diff --git a/debian/patches/series b/debian/patches/series index a743bec00..7edc511b8 100644 --- a/debian/patches/series +++ b/debian/patches/series | |||
| @@ -27,3 +27,4 @@ debian-config.patch | |||
| 27 | regress-integrity-robust.patch | 27 | regress-integrity-robust.patch |
| 28 | regress-forwarding-race.patch | 28 | regress-forwarding-race.patch |
| 29 | regress-mktemp.patch | 29 | regress-mktemp.patch |
| 30 | sandbox-x32-workaround.patch | ||
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c index 2e1ed2c52..62c578d3c 100644 --- a/sandbox-seccomp-filter.c +++ b/sandbox-seccomp-filter.c | |||
| @@ -137,6 +137,15 @@ static const struct sock_filter preauth_insns[] = { | |||
| 137 | #endif | 137 | #endif |
| 138 | #ifdef __NR_clock_gettime | 138 | #ifdef __NR_clock_gettime |
| 139 | SC_ALLOW(clock_gettime), | 139 | SC_ALLOW(clock_gettime), |
| 140 | # if defined(__x86_64__) && defined(__ILP32__) | ||
| 141 | /* On Linux x32, the clock_gettime VDSO currently falls back to the | ||
| 142 | * x86-64 syscall (see https://bugs.debian.org/849923), so allow | ||
| 143 | * that too. | ||
| 144 | */ | ||
| 145 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, | ||
| 146 | __NR_clock_gettime & ~__X32_SYSCALL_BIT, 0, 1), | ||
| 147 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW), | ||
| 148 | # endif | ||
| 140 | #endif | 149 | #endif |
| 141 | #ifdef __NR_close | 150 | #ifdef __NR_close |
| 142 | SC_ALLOW(close), | 151 | SC_ALLOW(close), |