Commit 9b649cac authored by Julian Andres Klode's avatar Julian Andres Klode Committed by Bastien Nocera

Fix argument order of clone() for s390x in seccomp filter

From https://github.com/flatpak/flatpak/pull/3777

clone() is a mad syscall with about 4 different argument orders. While
most of them agree that argument 0 is flags, s390 and s390x have the
flags argument second - A0 is the child stack pointer there.

[smcv: Add an explanatory comment; also test __CRIS__, for completeness;
apply change from Flatpak to the copy of this code in gnome-desktop]

Bug-Debian: https://bugs.debian.org/964541
Bug-Ubuntu: https://launchpad.net/bugs/1886814Signed-off-by: Simon McVittie's avatarSimon McVittie <smcv@collabora.com>
parent df477a3d
Pipeline #203458 passed with stage
in 6 minutes and 5 seconds
......@@ -327,7 +327,14 @@ setup_seccomp (GPtrArray *argv_array,
{SCMP_SYS (unshare)},
{SCMP_SYS (mount)},
{SCMP_SYS (pivot_root)},
#if defined(__s390__) || defined(__s390x__) || defined(__CRIS__)
/* Architectures with CONFIG_CLONE_BACKWARDS2: the child stack
* and flags arguments are reversed so the flags come second */
{SCMP_SYS (clone), &SCMP_A1 (SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER)},
#else
/* Normally the flags come first */
{SCMP_SYS (clone), &SCMP_A0 (SCMP_CMP_MASKED_EQ, CLONE_NEWUSER, CLONE_NEWUSER)},
#endif
/* Don't allow faking input to the controlling tty (CVE-2017-5226) */
{SCMP_SYS (ioctl), &SCMP_A1(SCMP_CMP_MASKED_EQ, 0xFFFFFFFFu, (int)TIOCSTI)},
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment