Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 20 May 2012 04:02:50 +0200
From:      Mateusz Guzik <mjguzik@gmail.com>
To:        freebsd-jail@freebsd.org
Subject:   [patch] use-after-free in kern_jail_set and lock leak in prison_racct_modify
Message-ID:  <20120520020250.GB17691@dft-labs.eu>
next in thread | raw e-mail | index | archive | help 
Hello,

I'm using -CURRENT as of r235649.

Bugs I'd like to report:

1. a use-after-free bug in kern_jail_set triggerable by attempts to
clear persist flag from "empty" persistent jail.

[..]
if (!created) {
	prison_deref(pr, (flags & JAIL_ATTACH) /* free */
            ? PD_DEREF
            : PD_DEREF | PD_LIST_SLOCKED);

[..]
#ifdef RACCT
        if (!created)
                prison_racct_modify(pr); /* dereference */
#endif

        td->td_retval[0] = pr->pr_id; /* dereference */
[..]


2. function prison_racct_modify leaks allprison and allproc locks when
modifications don't cause rename.

[..]
sx_slock(&allproc_lock);
sx_xlock(&allprison_lock);

if (strcmp(pr->pr_name, pr->pr_prison_racct->prr_name) == 0)
	return;
[..]

=============================

How to reproduce:
jail -c persist=1
jail -n 1 -m persist=0 

or

jail -c path=/ command=/usr/bin/true

This causes panic:
Fatal trap 12: page fault while in kernel mode
cpuid = 1; apic id = 01
fault virtual address   = 0xffffff8000e37010
fault code              = supervisor read data, page not present
instruction pointer     = 0x20:0xffffffff80562e0b
stack pointer           = 0x28:0xffffff807c995830
frame pointer           = 0x28:0xffffff807c995ad0
code segment            = base 0x0, limit 0xfffff, type 0x1b
                        = DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags        = interrupt enabled, resume, IOPL = 0
current process         = 23244 (jail)
[ thread pid 23244 tid 100077 ]
Stopped at      kern_jail_set+0x2dfb:   movslq  0x10(%r13),%r12
db> bt
Tracing pid 23244 tid 100077 td 0xfffffe0003075490
kern_jail_set() at kern_jail_set+0x2dfb
sys_jail_set() at sys_jail_set+0x62
amd64_syscall() at amd64_syscall+0x29e
Xfast_syscall() at Xfast_syscall+0xf7
--- syscall (507, FreeBSD ELF64, sys_jail_set), rip = 0x800ed9bdc, rsp = 0x7fffffffd718, rbp = 0x7fffff
ffd790 ---


Proposed trivial patch:
http://student.agh.edu.pl/~mjguzik/patches/jail-use-after-free.patch

-- 
Mateusz Guzik <mjguzik gmail.com>

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120520020250.GB17691>