From: Stefano Brivio <sbrivio@redhat.com>
To: passt-user@passt.top
Subject: Re: qemu couldn't connect the unix domain socket
Date: Fri, 29 Oct 2021 09:44:24 +0200 [thread overview]
Message-ID: <20211029094424.7da1a817@elisabeth> (raw)
In-Reply-To: <CAHckoCzGHToxtgd_BeJDbD5xmv4-NDbejDPq5atE-Tn2VtRgog@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 4313 bytes --]
Hi Feng Li,
On Fri, 29 Oct 2021 13:27:44 +0800
Li Feng <fengli(a)smartx.com> wrote:
> Hi Stefano,
>
> I got the coredump file, it reports the `fork` syscall is bad:
>
> Program terminated with signal SIGSYS, Bad system call.
> #0 __GI__Fork () at ../sysdeps/nptl/_Fork.c:50
> 50 return pid;
> (gdb) bt
> #0 __GI__Fork () at ../sysdeps/nptl/_Fork.c:50
> #1 0x00007f8c04fdc02a in __libc_fork () at fork.c:73
> #2 0x00007f8c05009f8b in daemon (nochdir=0, noclose=0) at daemon.c:48
> #3 0x000000000040c1e9 in main (argc=1, argv=0x7ffd10b5cd78) at passt.c:368
> quit)
That's not necessarily because of fork() -- fork() is already in the
list of allowed syscalls. The signal is asynchronous, it might be
received a bit before or after passt is executing what you see in gdb.
This is probably another syscall triggered by daemon() in the specific
glibc version (2.34-7.fc35) on your system -- I haven't tested Fedora
35 yet. An easy way to find out which one is the syscall causing this
is using strace.
For example, suppose I forgot to add listen() to the list of allowed
syscalls:
diff --git a/passt.c b/passt.c
index 6436a45..43249cf 100644
--- a/passt.c
+++ b/passt.c
@@ -277,3 +277,3 @@ static void pid_file(struct ctx *c) {
* #syscalls read write open close fork dup2 exit chdir ioctl writev syslog
- * #syscalls prlimit64 epoll_ctl epoll_create1 epoll_wait accept4 accept listen
+ * #syscalls prlimit64 epoll_ctl epoll_create1 epoll_wait accept4 accept
* #syscalls socket bind connect getsockopt setsockopt recvfrom sendto shutdown
Then:
$ strace ./passt
[...]
setsockopt(6, SOL_SOCKET, SO_SNDBUF, [1073741823], 4) = 0
getsockopt(6, SOL_SOCKET, SO_SNDBUF, [268435456], [4]) = 0
setsockopt(6, SOL_SOCKET, SO_RCVBUF, [1073741823], 4) = 0
getsockopt(6, SOL_SOCKET, SO_RCVBUF, [268435456], [4]) = 0
close(6) = 0
socket(AF_UNIX, SOCK_STREAM, 0) = 6
socket(AF_UNIX, SOCK_STREAM|SOCK_NONBLOCK, 0) = 7
connect(7, {sa_family=AF_UNIX, sun_path="/tmp/passt_1.socket"}, 110) = -1 ENOENT (No such file or directory)
close(7) = 0
unlink("/tmp/passt_1.socket") = -1 ENOENT (No such file or directory)
bind(6, {sa_family=AF_UNIX, sun_path="/tmp/passt_1.socket"}, 110) = 0
write(2, "UNIX domain socket bound at /tmp"..., 48UNIX domain socket bound at /tmp/passt_1.socket
) = 48
write(2, "\n", 1
) = 1
listen(6, 0) = ?
+++ killed by SIGSYS +++
Bad system call
you would see that listen() is the first syscall not returning here
(strace can't see a return from there).
It's around daemon(), and the process might have forked already, so you
should run strace with the -f option, which also traces child processes:
strace -f ./passt
the missing syscall should now be obvious from the output.
> Looks like the seccomp is still badly configured.
> I have little knowledge about the seccomp.
Short summary: this is seccomp in filter mode (seccomp-bpf), it's a
mechanism to block the system call (terminating the process, here) in
case it's a syscall we didn't expect to be executed.
It's a security feature: that's to avoid that an attacker, who already
gained some control on the process execution, is able to potentially
exploit a further vulnerability (e.g. in the kernel) by executing a
particular syscall. This is a relatively famous example of it:
https://reverse.put.as/2017/11/07/exploiting-cve-2017-5123/
passt implements this as a list of syscalls in code comments, those are
translated by seccomp.sh into a BPF program, which is then loaded by
seccomp() in passt.c. If a syscall not included in the resulting list
is triggered, the kernel will terminate the process with a SYGSYS
signal.
However, different C libraries (on different architectures) might issue
different syscalls to implement the same function (daemon(), here), and
the list I made was just tested on the systems I use and the reports of
a few other users, so some are surely missing right now.
While adding tests for OpenSUSE and Debian, I already found a few
alternative syscalls for some functions (I'll prepare a patch soon) --
I haven't started with Fedora 35 tests yet.
--
Stefano
next prev parent reply other threads:[~2021-10-29 7:44 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-26 5:28 qemu couldn't connect the unix domain socket Li Feng
2021-10-28 4:25 ` Li Feng
2021-10-28 7:30 ` Stefano Brivio
2021-10-29 3:33 ` Li Feng
2021-10-29 5:27 ` Li Feng
2021-10-29 7:44 ` Stefano Brivio [this message]
2021-10-29 8:54 ` Li Feng
2021-10-29 9:34 ` Stefano Brivio
2021-10-29 11:02 ` Li Feng
2021-10-29 11:52 ` Stefano Brivio
2021-10-29 12:20 ` Li Feng
2022-02-03 20:47 ` Stefano Brivio
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211029094424.7da1a817@elisabeth \
--to=sbrivio@redhat.com \
--cc=passt-user@passt.top \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for IMAP folder(s).