From owner-freebsd-jail@FreeBSD.ORG Sun May 20 02:02:57 2012 Return-Path: Delivered-To: freebsd-jail@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 09F62106564A for ; Sun, 20 May 2012 02:02:57 +0000 (UTC) (envelope-from mjguzik@gmail.com) Received: from mail-wg0-f50.google.com (mail-wg0-f50.google.com [74.125.82.50]) by mx1.freebsd.org (Postfix) with ESMTP id 907588FC0C for ; Sun, 20 May 2012 02:02:56 +0000 (UTC) Received: by wgbds11 with SMTP id ds11so4014489wgb.31 for ; Sat, 19 May 2012 19:02:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=date:from:to:subject:message-id:mime-version:content-type :content-disposition:user-agent; bh=As8II0FGMxj6XBVFJKZzV7FcCpCb/nYZ5Ee4hcIY2Bg=; b=wEMiTyjdyQxhXf0ATe4VgQNHJh+Sy6rrDBbhWKJg6dVzjKD/qrxUCkDpOGqNHH7dgV Qj8oIb/EE/1mYw2UBXZGS/TJZ2C5lDbiJGlIgi8gCxj1wxFxMvkULbdBp4Qk/J2sryYX mD+FLGRJ1ued42LhoyO2JvtylfFiklB5pVN7114ndy6zS1oxoNytr6iCtzwteSMzpMVD 663gHVKvzYNojKUI97i5X6xIKMBt689UuEQ6qmMAa1XKi6i6ApmlfPlDGW8cAQTr45o7 DqPkVl1/TgBvMAj+gOa5LGMn4NAa4toDC2U5DXaeYnsd/b5v94vITn+Gnrgcd1GSx6iu 4Xcg== Received: by 10.181.11.137 with SMTP id ei9mr13386785wid.21.1337479375294; Sat, 19 May 2012 19:02:55 -0700 (PDT) Received: from dft-labs.eu (dft-labs.eu. [80.87.128.179]) by mx.google.com with ESMTPS id bn9sm14032823wib.5.2012.05.19.19.02.53 (version=TLSv1/SSLv3 cipher=OTHER); Sat, 19 May 2012 19:02:54 -0700 (PDT) Date: Sun, 20 May 2012 04:02:50 +0200 From: Mateusz Guzik To: freebsd-jail@freebsd.org Message-ID: <20120520020250.GB17691@dft-labs.eu> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline User-Agent: Mutt/1.5.20 (2009-06-14) Subject: [patch] use-after-free in kern_jail_set and lock leak in prison_racct_modify X-BeenThere: freebsd-jail@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Discussion about FreeBSD jail\(8\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 20 May 2012 02:02:57 -0000 Hello, I'm using -CURRENT as of r235649. Bugs I'd like to report: 1. a use-after-free bug in kern_jail_set triggerable by attempts to clear persist flag from "empty" persistent jail. [..] if (!created) { prison_deref(pr, (flags & JAIL_ATTACH) /* free */ ? PD_DEREF : PD_DEREF | PD_LIST_SLOCKED); [..] #ifdef RACCT if (!created) prison_racct_modify(pr); /* dereference */ #endif td->td_retval[0] = pr->pr_id; /* dereference */ [..] 2. function prison_racct_modify leaks allprison and allproc locks when modifications don't cause rename. [..] sx_slock(&allproc_lock); sx_xlock(&allprison_lock); if (strcmp(pr->pr_name, pr->pr_prison_racct->prr_name) == 0) return; [..] ============================= How to reproduce: jail -c persist=1 jail -n 1 -m persist=0 or jail -c path=/ command=/usr/bin/true This causes panic: Fatal trap 12: page fault while in kernel mode cpuid = 1; apic id = 01 fault virtual address = 0xffffff8000e37010 fault code = supervisor read data, page not present instruction pointer = 0x20:0xffffffff80562e0b stack pointer = 0x28:0xffffff807c995830 frame pointer = 0x28:0xffffff807c995ad0 code segment = base 0x0, limit 0xfffff, type 0x1b = DPL 0, pres 1, long 1, def32 0, gran 1 processor eflags = interrupt enabled, resume, IOPL = 0 current process = 23244 (jail) [ thread pid 23244 tid 100077 ] Stopped at kern_jail_set+0x2dfb: movslq 0x10(%r13),%r12 db> bt Tracing pid 23244 tid 100077 td 0xfffffe0003075490 kern_jail_set() at kern_jail_set+0x2dfb sys_jail_set() at sys_jail_set+0x62 amd64_syscall() at amd64_syscall+0x29e Xfast_syscall() at Xfast_syscall+0xf7 --- syscall (507, FreeBSD ELF64, sys_jail_set), rip = 0x800ed9bdc, rsp = 0x7fffffffd718, rbp = 0x7fffff ffd790 --- Proposed trivial patch: http://student.agh.edu.pl/~mjguzik/patches/jail-use-after-free.patch -- Mateusz Guzik