From owner-freebsd-current@FreeBSD.ORG Sat Aug 29 23:34:58 2009 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6AE621065670; Sat, 29 Aug 2009 23:34:58 +0000 (UTC) (envelope-from peterjeremy@optushome.com.au) Received: from mail16.syd.optusnet.com.au (mail16.syd.optusnet.com.au [211.29.132.197]) by mx1.freebsd.org (Postfix) with ESMTP id EEF288FC13; Sat, 29 Aug 2009 23:34:57 +0000 (UTC) Received: from server.vk2pj.dyndns.org (c122-106-217-45.belrs3.nsw.optusnet.com.au [122.106.217.45]) by mail16.syd.optusnet.com.au (8.13.1/8.13.1) with ESMTP id n7TNYsRV028324 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 30 Aug 2009 09:34:55 +1000 X-Bogosity: Ham, spamicity=0.000000 Received: from server.vk2pj.dyndns.org (localhost.vk2pj.dyndns.org [127.0.0.1]) by server.vk2pj.dyndns.org (8.14.3/8.14.3) with ESMTP id n7TNYswP094601; Sun, 30 Aug 2009 09:34:54 +1000 (EST) (envelope-from peter@server.vk2pj.dyndns.org) Received: (from peter@localhost) by server.vk2pj.dyndns.org (8.14.3/8.14.3/Submit) id n7TNYsNA094600; Sun, 30 Aug 2009 09:34:54 +1000 (EST) (envelope-from peter) Date: Sun, 30 Aug 2009 09:34:54 +1000 From: Peter Jeremy To: freebsd-current@freebsd.org, freebsd-amd64@freebsd.org Message-ID: <20090829233454.GA13036@server.vk2pj.dyndns.org> References: <20090824193344.GA34949@server.vk2pj.dyndns.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="tKW2IUtsqtDRztdT" Content-Disposition: inline In-Reply-To: <20090824193344.GA34949@server.vk2pj.dyndns.org> X-PGP-Key: http://members.optusnet.com.au/peterjeremy/pubkey.asc User-Agent: Mutt/1.5.20 (2009-06-14) Cc: Subject: Re: sshd failing in jail X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-amd64@freebsd.org List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Aug 2009 23:34:58 -0000 --tKW2IUtsqtDRztdT Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable [Redirected to amd64 because this is an amd64 kernel bug] On 2009-Aug-25 05:33:44 +1000, Peter Jeremy = wrote: >I am attempting to build an i386 jail on an amd64 box to build >packages for my netbook. The host is running -current from just over >two weeks ago and the jail is -current from early June. The jail was >built by doing a dump|restore of my netbook and then tweaking various >config files to give it a new identity. The jail's devfs is using >"devfsrules_jail" from /etc/default/devfs.rules. > >The jail starts OK but when I attempt to ssh into it, I just get >"Connection closed by ". Turns out this is a bug in the 32-bit select(2) wrapper on 64-bit kernels. The userland fd_set arguments are not wrapped but passed directly to kern_select(). Unfortunately, fd_set is (effectively) an array of longs which means kern_select() assumes fd_set is a multiple of 8-bytes whilst userland assumes it is a multiple of 4 bytes. As a result, the kernel can over-write an extra 4 bytes of user memory. In the case of sshd, this causes part of the RSA host key to be trashed when privilege separation mode is enabled. This bug also affects linux emulation on amd64 and potentially affects any other 64-bit kernels with 32-bit emulation modes. I have raised amd64/138318 to cover it. --=20 Peter Jeremy --tKW2IUtsqtDRztdT Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (FreeBSD) iEYEARECAAYFAkqZux4ACgkQ/opHv/APuIeYNgCcDkwu+czNYx1NpLgdYxPEcaSB IFsAnRdl65DvrBRiNZL7dK10VisqwEfL =kgvG -----END PGP SIGNATURE----- --tKW2IUtsqtDRztdT--