From owner-freebsd-current@FreeBSD.ORG  Wed Sep  9 20:20:32 2009
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 047DA1065679;
	Wed,  9 Sep 2009 20:20:32 +0000 (UTC)
	(envelope-from peterjeremy@acm.org)
Received: from mail16.syd.optusnet.com.au (mail16.syd.optusnet.com.au
	[211.29.132.197])
	by mx1.freebsd.org (Postfix) with ESMTP id 8AC058FC1E;
	Wed,  9 Sep 2009 20:20:31 +0000 (UTC)
Received: from server.vk2pj.dyndns.org
	(c122-106-217-45.belrs3.nsw.optusnet.com.au [122.106.217.45])
	by mail16.syd.optusnet.com.au (8.13.1/8.13.1) with ESMTP id
	n89KKSUO026920
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Thu, 10 Sep 2009 06:20:29 +1000
X-Bogosity: Ham, spamicity=0.000000
Received: from server.vk2pj.dyndns.org (localhost.vk2pj.dyndns.org [127.0.0.1])
	by server.vk2pj.dyndns.org (8.14.3/8.14.3) with ESMTP id n89KKSh9061658;
	Thu, 10 Sep 2009 06:20:28 +1000 (EST)
	(envelope-from peter@server.vk2pj.dyndns.org)
Received: (from peter@localhost)
	by server.vk2pj.dyndns.org (8.14.3/8.14.3/Submit) id n89KKSsx061657;
	Thu, 10 Sep 2009 06:20:28 +1000 (EST) (envelope-from peter)
Date: Thu, 10 Sep 2009 06:20:28 +1000
From: Peter Jeremy <peterjeremy@acm.org>
To: Kostik Belousov <kostikbel@gmail.com>
Message-ID: <20090909202028.GA61633@server.vk2pj.dyndns.org>
References: <20090824193344.GA34949@server.vk2pj.dyndns.org>
	<20090829233454.GA13036@server.vk2pj.dyndns.org>
	<20090830144452.GK1881@deviant.kiev.zoral.com.ua>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="IJpNTDwzlM2Ie8A6"
Content-Disposition: inline
In-Reply-To: <20090830144452.GK1881@deviant.kiev.zoral.com.ua>
X-PGP-Key: http://members.optusnet.com.au/peterjeremy/pubkey.asc
User-Agent: Mutt/1.5.20 (2009-06-14)
Cc: freebsd-current@freebsd.org, freebsd-amd64@freebsd.org
Subject: Re: sshd failing in jail
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Sep 2009 20:20:32 -0000


--IJpNTDwzlM2Ie8A6
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

My apologies for the delay.  Without warning, my ISP decided to
disable the domain I was using for email and I have been busy
repairing the damage.
=20
On 2009-Aug-30 17:44:52 +0300, Kostik Belousov <kostikbel@gmail.com> wrote:
>On Sun, Aug 30, 2009 at 09:34:54AM +1000, Peter Jeremy wrote:
>> Turns out this is a bug in the 32-bit select(2) wrapper on 64-bit
>> kernels.  The userland fd_set arguments are not wrapped but passed
>> directly to kern_select().  Unfortunately, fd_set is (effectively) an
>> array of longs which means kern_select() assumes fd_set is a multiple
>> of 8-bytes whilst userland assumes it is a multiple of 4 bytes.  As a
>> result, the kernel can over-write an extra 4 bytes of user memory.  In
>> the case of sshd, this causes part of the RSA host key to be trashed
>> when privilege separation mode is enabled.
>>=20
>> This bug also affects linux emulation on amd64 and potentially affects
>> any other 64-bit kernels with 32-bit emulation modes.  I have raised
>> amd64/138318 to cover it.
>
>I do not think that we can go the proposed route, since changing the
>type of __fd_mask changes the type of fd_set. The later would not
>affect the kernel ABI, but definitely changes the ABI of any code that
>passes fd_sets.

I agree it was something of a hack.

>Also, looking closely at the issue you found, I think that copyin
>is the same problematic as copyout, since we can end up reading
>one more word then userspace supplied. This is not a problem only
>because most user code keeps fd_sets on stack.

Agreed.  I was aware that copyin() could read an extra 4 bytes but
did not work through the full implications of this - it is possible
that select(2) could unexpectedly return EFAULT.

>Could you test that the patch below fixes real sshd issue. At least,
>it passes your select test from the PR.

It works OK for me.  Please feel free to commit it.

--=20
Peter Jeremy

--IJpNTDwzlM2Ie8A6
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (FreeBSD)

iEYEARECAAYFAkqoDgwACgkQ/opHv/APuIdOAgCcD0iiHpCleOtsOOiEaJ8gvzVi
+OIAnj9X0EaQrJsXE8nGWjMO45c4UxSG
=Khz+
-----END PGP SIGNATURE-----

--IJpNTDwzlM2Ie8A6--