Regression in CVE-2021-41133 fixes: While trying to apply extra data: Failed to block syscall 442 #4458
Labels
Comments
|
Debian testing/unstable, with kernel 5.14.9-2 and libseccomp 2.5.2-2, is OK. |
|
I think what's happening here is that adding seccomp rules fails if non-native architectures are allowed (so this will break extra-data, and also apps that allow non-native syscalls like Steam) and we are trying to block a syscall that libseccomp doesn't know about. We can block a syscall by its native syscall number for the current architecture, even if the syscall is not known to libseccomp; but if we have enabled multiarch, Making the seccomp filter into an allowlist instead of a denylist (which we want to do anyway, as security hardening) would solve this, but I don't know libseccomp well enough to work out how best to do that. |
This was referenced Oct 8, 2021
|
Is that really true? It seems to me that arch_syscall_translate() failing will return EFAULT, which is specifically ignored by flatpak as: |
|
Notice that it says |
|
If we fail to block the i386 version of a recently-added syscall, then we're potentially reintroducing CVE-2021-41133 for users with a newer kernel than their libseccomp, for example Debian 11 users with a backported Debian 12 kernel (which is quite a common thing to do for newer hardware support). |
|
Looking at this, I think you're right that the intention was to say r != -EFAULT. Can you try if that fixes it for you? I agree however, that this is sub-optimal in terms of security. |
Not trivially, I don't have a permanent development environment for all these older distros. I'll try to get a test-build done but it is going to take a little while. |
smcv
added a commit
to smcv/flatpak
that referenced
this issue
Oct 8, 2021
The error-handling here was
if (r < 0 && r == -EFAULT)
but Alex says it was almost certainly intended to be
if (r < 0 && r != -EFAULT)
so that syscalls not known to libseccomp are not a fatal error.
Instead of literally making that change, emit a debug message on -EFAULT
so we can see what is going on.
This temporarily weakens our defence against CVE-2021-41133
(GHSA-67h7-w3jq-vh4q) in order to avoid regressions: if the installed
version of libseccomp does not know about the recently-added syscalls,
but the kernel does, then we will not prevent non-native executables
from using those syscalls.
Resolves: flatpak#4458
Signed-off-by: Simon McVittie <smcv@collabora.com>
smcv
added a commit
to smcv/flatpak
that referenced
this issue
Oct 8, 2021
The error-handling here was
if (r < 0 && r == -EFAULT)
but Alex says it was almost certainly intended to be
if (r < 0 && r != -EFAULT)
so that syscalls not known to libseccomp are not a fatal error.
Instead of literally making that change, emit a debug message on -EFAULT
so we can see what is going on.
This temporarily weakens our defence against CVE-2021-41133
(GHSA-67h7-w3jq-vh4q) in order to avoid regressions: if the installed
version of libseccomp does not know about the recently-added syscalls,
but the kernel does, then we will not prevent non-native executables
from using those syscalls.
Resolves: flatpak#4458
Signed-off-by: Simon McVittie <smcv@collabora.com>
Maybe you already saw, but there is a runc commit linked to from the moby commit you linked in the flatpak source, and they seem to have managed to implement an allowlist by returning ENOSYS for syscall numbers higher than the highest one defined: As pointed out in their commit and source comment, there are various caveats and limitations, but it might still be better than a blocklist. (I'm not suggesting that translating that prior art into C code for Flatpak is easy, just wanted to point that out in case you didn't see.) |
alexlarsson
pushed a commit
that referenced
this issue
Oct 8, 2021
The error-handling here was
if (r < 0 && r == -EFAULT)
but Alex says it was almost certainly intended to be
if (r < 0 && r != -EFAULT)
so that syscalls not known to libseccomp are not a fatal error.
Instead of literally making that change, emit a debug message on -EFAULT
so we can see what is going on.
This temporarily weakens our defence against CVE-2021-41133
(GHSA-67h7-w3jq-vh4q) in order to avoid regressions: if the installed
version of libseccomp does not know about the recently-added syscalls,
but the kernel does, then we will not prevent non-native executables
from using those syscalls.
Resolves: #4458
Signed-off-by: Simon McVittie <smcv@collabora.com>
alexlarsson
pushed a commit
that referenced
this issue
Oct 8, 2021
The error-handling here was
if (r < 0 && r == -EFAULT)
but Alex says it was almost certainly intended to be
if (r < 0 && r != -EFAULT)
so that syscalls not known to libseccomp are not a fatal error.
Instead of literally making that change, emit a debug message on -EFAULT
so we can see what is going on.
This temporarily weakens our defence against CVE-2021-41133
(GHSA-67h7-w3jq-vh4q) in order to avoid regressions: if the installed
version of libseccomp does not know about the recently-added syscalls,
but the kernel does, then we will not prevent non-native executables
from using those syscalls.
Resolves: #4458
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit d419fa6)
Sorry, writing code to output raw BPF is way outside my knowledge - I'm already having to learn libseccomp as I go (which probably makes me not an ideal person to be implementing this security boundary, but hopefully I'm better than nothing). If you want to try their approach, please go ahead, but it is not something that I will be able to help you with. |
|
See also seccomp/libseccomp#11 and seccomp/libseccomp#286 which seem to be attempts to solve this in libseccomp. (Although each of those two issues suggests that the other one is the real solution...) |
alexlarsson
pushed a commit
that referenced
this issue
Oct 8, 2021
The error-handling here was
if (r < 0 && r == -EFAULT)
but Alex says it was almost certainly intended to be
if (r < 0 && r != -EFAULT)
so that syscalls not known to libseccomp are not a fatal error.
Instead of literally making that change, emit a debug message on -EFAULT
so we can see what is going on.
This temporarily weakens our defence against CVE-2021-41133
(GHSA-67h7-w3jq-vh4q) in order to avoid regressions: if the installed
version of libseccomp does not know about the recently-added syscalls,
but the kernel does, then we will not prevent non-native executables
from using those syscalls.
Resolves: #4458
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit d419fa6)
smcv
added a commit
to smcv/flatpak
that referenced
this issue
Oct 11, 2021
The error-handling here was
if (r < 0 && r == -EFAULT)
but Alex says it was almost certainly intended to be
if (r < 0 && r != -EFAULT)
so that syscalls not known to libseccomp are not a fatal error.
Instead of literally making that change, emit a debug message on -EFAULT
so we can see what is going on.
This temporarily weakens our defence against CVE-2021-41133
(GHSA-67h7-w3jq-vh4q) in order to avoid regressions: if the installed
version of libseccomp does not know about the recently-added syscalls,
but the kernel does, then we will not prevent non-native executables
from using those syscalls.
Resolves: flatpak#4458
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit d419fa6)
(cherry picked from commit 270701f)
ahayzen
pushed a commit
to ahayzen/flatpak
that referenced
this issue
Oct 19, 2021
The error-handling here was
if (r < 0 && r == -EFAULT)
but Alex says it was almost certainly intended to be
if (r < 0 && r != -EFAULT)
so that syscalls not known to libseccomp are not a fatal error.
Instead of literally making that change, emit a debug message on -EFAULT
so we can see what is going on.
This temporarily weakens our defence against CVE-2021-41133
(GHSA-67h7-w3jq-vh4q) in order to avoid regressions: if the installed
version of libseccomp does not know about the recently-added syscalls,
but the kernel does, then we will not prevent non-native executables
from using those syscalls.
Resolves: flatpak#4458
Signed-off-by: Simon McVittie <smcv@collabora.com>
ahayzen
pushed a commit
to ahayzen/flatpak
that referenced
this issue
Oct 20, 2021
The error-handling here was
if (r < 0 && r == -EFAULT)
but Alex says it was almost certainly intended to be
if (r < 0 && r != -EFAULT)
so that syscalls not known to libseccomp are not a fatal error.
Instead of literally making that change, emit a debug message on -EFAULT
so we can see what is going on.
This temporarily weakens our defence against CVE-2021-41133
(GHSA-67h7-w3jq-vh4q) in order to avoid regressions: if the installed
version of libseccomp does not know about the recently-added syscalls,
but the kernel does, then we will not prevent non-native executables
from using those syscalls.
Resolves: flatpak#4458
Signed-off-by: Simon McVittie <smcv@collabora.com>
smcv
added a commit
that referenced
this issue
Oct 26, 2021
The error-handling here was
if (r < 0 && r == -EFAULT)
but Alex says it was almost certainly intended to be
if (r < 0 && r != -EFAULT)
so that syscalls not known to libseccomp are not a fatal error.
Instead of literally making that change, emit a debug message on -EFAULT
so we can see what is going on.
This temporarily weakens our defence against CVE-2021-41133
(GHSA-67h7-w3jq-vh4q) in order to avoid regressions: if the installed
version of libseccomp does not know about the recently-added syscalls,
but the kernel does, then we will not prevent non-native executables
from using those syscalls.
Resolves: #4458
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit d419fa6)
(cherry picked from commit 270701f)
debarshiray
pushed a commit
to debarshiray/flatpak
that referenced
this issue
Nov 2, 2021
The error-handling here was
if (r < 0 && r == -EFAULT)
but Alex says it was almost certainly intended to be
if (r < 0 && r != -EFAULT)
so that syscalls not known to libseccomp are not a fatal error.
Instead of literally making that change, emit a debug message on -EFAULT
so we can see what is going on.
This temporarily weakens our defence against CVE-2021-41133
(GHSA-67h7-w3jq-vh4q) in order to avoid regressions: if the installed
version of libseccomp does not know about the recently-added syscalls,
but the kernel does, then we will not prevent non-native executables
from using those syscalls.
Resolves: flatpak#4458
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit d419fa6)
(cherry picked from commit 270701f)
(cherry picked from commit a0055e4)
debarshiray
pushed a commit
to debarshiray/flatpak
that referenced
this issue
Nov 2, 2021
The error-handling here was
if (r < 0 && r == -EFAULT)
but Alex says it was almost certainly intended to be
if (r < 0 && r != -EFAULT)
so that syscalls not known to libseccomp are not a fatal error.
Instead of literally making that change, emit a debug message on -EFAULT
so we can see what is going on.
This temporarily weakens our defence against CVE-2021-41133
(GHSA-67h7-w3jq-vh4q) in order to avoid regressions: if the installed
version of libseccomp does not know about the recently-added syscalls,
but the kernel does, then we will not prevent non-native executables
from using those syscalls.
Resolves: flatpak#4458
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit d419fa6)
(cherry picked from commit 270701f)
(cherry picked from commit a0055e4)
debarshiray
pushed a commit
to debarshiray/flatpak
that referenced
this issue
Nov 2, 2021
The error-handling here was
if (r < 0 && r == -EFAULT)
but Alex says it was almost certainly intended to be
if (r < 0 && r != -EFAULT)
so that syscalls not known to libseccomp are not a fatal error.
Instead of literally making that change, emit a debug message on -EFAULT
so we can see what is going on.
This temporarily weakens our defence against CVE-2021-41133
(GHSA-67h7-w3jq-vh4q) in order to avoid regressions: if the installed
version of libseccomp does not know about the recently-added syscalls,
but the kernel does, then we will not prevent non-native executables
from using those syscalls.
Resolves: flatpak#4458
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit d419fa6)
(cherry picked from commit 270701f)
(cherry picked from commit a0055e4)
debarshiray
pushed a commit
to debarshiray/flatpak
that referenced
this issue
Nov 2, 2021
The error-handling here was
if (r < 0 && r == -EFAULT)
but Alex says it was almost certainly intended to be
if (r < 0 && r != -EFAULT)
so that syscalls not known to libseccomp are not a fatal error.
Instead of literally making that change, emit a debug message on -EFAULT
so we can see what is going on.
This temporarily weakens our defence against CVE-2021-41133
(GHSA-67h7-w3jq-vh4q) in order to avoid regressions: if the installed
version of libseccomp does not know about the recently-added syscalls,
but the kernel does, then we will not prevent non-native executables
from using those syscalls.
Resolves: flatpak#4458
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit d419fa6)
(cherry picked from commit 270701f)
(cherry picked from commit a0055e4)
debarshiray
pushed a commit
to debarshiray/flatpak
that referenced
this issue
Nov 3, 2021
The error-handling here was
if (r < 0 && r == -EFAULT)
but Alex says it was almost certainly intended to be
if (r < 0 && r != -EFAULT)
so that syscalls not known to libseccomp are not a fatal error.
Instead of literally making that change, emit a debug message on -EFAULT
so we can see what is going on.
This temporarily weakens our defence against CVE-2021-41133
(GHSA-67h7-w3jq-vh4q) in order to avoid regressions: if the installed
version of libseccomp does not know about the recently-added syscalls,
but the kernel does, then we will not prevent non-native executables
from using those syscalls.
Resolves: flatpak#4458
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit d419fa6)
(cherry picked from commit 270701f)
(cherry picked from commit a0055e4)
debarshiray
pushed a commit
to debarshiray/flatpak
that referenced
this issue
Nov 3, 2021
The error-handling here was
if (r < 0 && r == -EFAULT)
but Alex says it was almost certainly intended to be
if (r < 0 && r != -EFAULT)
so that syscalls not known to libseccomp are not a fatal error.
Instead of literally making that change, emit a debug message on -EFAULT
so we can see what is going on.
This temporarily weakens our defence against CVE-2021-41133
(GHSA-67h7-w3jq-vh4q) in order to avoid regressions: if the installed
version of libseccomp does not know about the recently-added syscalls,
but the kernel does, then we will not prevent non-native executables
from using those syscalls.
Resolves: flatpak#4458
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit d419fa6)
(cherry picked from commit 270701f)
(cherry picked from commit a0055e4)
debarshiray
pushed a commit
to debarshiray/flatpak
that referenced
this issue
Jan 26, 2022
The error-handling here was
if (r < 0 && r == -EFAULT)
but Alex says it was almost certainly intended to be
if (r < 0 && r != -EFAULT)
so that syscalls not known to libseccomp are not a fatal error.
Instead of literally making that change, emit a debug message on -EFAULT
so we can see what is going on.
This temporarily weakens our defence against CVE-2021-41133
(GHSA-67h7-w3jq-vh4q) in order to avoid regressions: if the installed
version of libseccomp does not know about the recently-added syscalls,
but the kernel does, then we will not prevent non-native executables
from using those syscalls.
Resolves: flatpak#4458
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit d419fa6)
(cherry picked from commit 270701f)
(cherry picked from commit a0055e4)
debarshiray
pushed a commit
to debarshiray/flatpak
that referenced
this issue
Jan 27, 2022
The error-handling here was
if (r < 0 && r == -EFAULT)
but Alex says it was almost certainly intended to be
if (r < 0 && r != -EFAULT)
so that syscalls not known to libseccomp are not a fatal error.
Instead of literally making that change, emit a debug message on -EFAULT
so we can see what is going on.
This temporarily weakens our defence against CVE-2021-41133
(GHSA-67h7-w3jq-vh4q) in order to avoid regressions: if the installed
version of libseccomp does not know about the recently-added syscalls,
but the kernel does, then we will not prevent non-native executables
from using those syscalls.
Resolves: flatpak#4458
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit d419fa6)
(cherry picked from commit 270701f)
(cherry picked from commit a0055e4)
debarshiray
pushed a commit
to debarshiray/flatpak
that referenced
this issue
Jan 27, 2022
The error-handling here was
if (r < 0 && r == -EFAULT)
but Alex says it was almost certainly intended to be
if (r < 0 && r != -EFAULT)
so that syscalls not known to libseccomp are not a fatal error.
Instead of literally making that change, emit a debug message on -EFAULT
so we can see what is going on.
This temporarily weakens our defence against CVE-2021-41133
(GHSA-67h7-w3jq-vh4q) in order to avoid regressions: if the installed
version of libseccomp does not know about the recently-added syscalls,
but the kernel does, then we will not prevent non-native executables
from using those syscalls.
Resolves: flatpak#4458
Signed-off-by: Simon McVittie <smcv@collabora.com>
(cherry picked from commit d419fa6)
(cherry picked from commit 270701f)
(cherry picked from commit a0055e4)
ahayzen
pushed a commit
to ahayzen/flatpak
that referenced
this issue
Jan 27, 2022
The error-handling here was
if (r < 0 && r == -EFAULT)
but Alex says it was almost certainly intended to be
if (r < 0 && r != -EFAULT)
so that syscalls not known to libseccomp are not a fatal error.
Instead of literally making that change, emit a debug message on -EFAULT
so we can see what is going on.
This temporarily weakens our defence against CVE-2021-41133
(GHSA-67h7-w3jq-vh4q) in order to avoid regressions: if the installed
version of libseccomp does not know about the recently-added syscalls,
but the kernel does, then we will not prevent non-native executables
from using those syscalls.
Resolves: flatpak#4458
Signed-off-by: Simon McVittie <smcv@collabora.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Linux distribution and version
Debian 11 (kernel
5.10.46-4, libseccomp2.5.1-1); Ubuntu 20.04 (kernel5.11.0-27.29~20.04.1, libseccomp2.5.1-1ubuntu1~20.04.1)Flatpak version
1.12.0
Description of the problem
Installing extensions that have extra data (openh264, NVIDIA) fails with:
Steps to reproduce
flatpakfrom the PPA on a fresh Ubuntu 20.04 VM (the live desktop session will do)org.gnome.WeatherThe text was updated successfully, but these errors were encountered: