FS#67165 - [vsftpd] seccomp policy kills child on OpenSSL call

Attached to Project: Community Packages
Opened by Kamil Lorenc (r4pt0r) - Wednesday, 01 July 2020, 13:29 GMT
Last edited by Buggy McBugFace (bugbot) - Saturday, 25 November 2023, 20:01 GMT
Task Type Bug Report
Category Packages
Status Closed
Assigned To Levente Polyak (anthraxx)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:
When opening new encrypted connection, forked vsftpd is killed and following message is sent through socket:
500 OOPS: child died

vsftpd defines list of allowed syscalls. Calling syscall outside the list causes SIGSYS signal, which kills the process that gets the signal. It seems that lately OpenSSL started to use getrandom syscall during initialization of it random number generator. Solution is to patch vsftpd with addition of this syscall to whitelist. This can be done with following patch:
```
--- a/seccompsandbox.c 2020-07-01 12:42:02.286972777 +0200
+++ b/seccompsandbox.c 2020-07-01 12:42:34.671677119 +0200
@@ -335,6 +335,7 @@
allow_nr(__NR_nanosleep); /* Used for bandwidth / login throttling. */
allow_nr(__NR_getpid); /* Used by logging. */
allow_nr(__NR_shutdown); /* Used for QUIT or a timeout. */
+ allow_nr(__NR_getrandom); /* Used by OpenSSL in SSL_accept. */
allow_nr_1_arg_match(__NR_fcntl, 2, F_GETFL);
/* It's safe to allow O_RDWR in fcntl because these flags cannot be changed.
* Also, sockets are O_RDWR.
```

Additional info:
* vsftpd version 3.0.3-6
* vsftpd.conf:
ssl_enable=YES
force_local_data_ssl=YES
force_local_logins_ssl=YES
local_enable=YES

* OpenSSL version 1.1.1.g-1

Steps to reproduce:
Generate certificate as described on Arch Wiki, start vsftpd from root command line and attempt connecting with e.g. FileZilla.
This task depends upon

Closed by  Buggy McBugFace (bugbot)
Saturday, 25 November 2023, 20:01 GMT
Reason for closing:  Moved
Additional comments about closing:  https://gitlab.archlinux.org/archlinux/p ackaging/packages/vsftpd/issues/4
Comment by Levente Polyak (anthraxx) - Wednesday, 01 July 2020, 23:03 GMT
can you please report / submit your patch upstream and post a link here?
Comment by Kamil Lorenc (r4pt0r) - Saturday, 04 July 2020, 05:25 GMT
Unfortunately, it seems the project does not have any way of sending bug reports or patches. There is a dedicated IRC channel and I dropped them a link to this page, but for few days nobody answered. In theory, I could yet try sending email to author, but he states on the project page that he is unable to read all such emails, so it is likely, he won't answer in any way. By the way, if we look into last release date, it looks like the project is not actively maintained anymore (last release was in 2015).
Comment by Buggy McBugFace (bugbot) - Tuesday, 08 August 2023, 19:11 GMT
This is an automated comment as this bug is open for more then 2 years. Please reply if you still experience this bug otherwise this issue will be closed after 1 month.

Loading...