[patch] use-after-free in kern_jail_set and lock leak in
prison_racct_modify
Mateusz Guzik
mjguzik at gmail.com
Sun May 20 02:02:57 UTC 2012
Hello,
I'm using -CURRENT as of r235649.
Bugs I'd like to report:
1. a use-after-free bug in kern_jail_set triggerable by attempts to
clear persist flag from "empty" persistent jail.
[..]
if (!created) {
prison_deref(pr, (flags & JAIL_ATTACH) /* free */
? PD_DEREF
: PD_DEREF | PD_LIST_SLOCKED);
[..]
#ifdef RACCT
if (!created)
prison_racct_modify(pr); /* dereference */
#endif
td->td_retval[0] = pr->pr_id; /* dereference */
[..]
2. function prison_racct_modify leaks allprison and allproc locks when
modifications don't cause rename.
[..]
sx_slock(&allproc_lock);
sx_xlock(&allprison_lock);
if (strcmp(pr->pr_name, pr->pr_prison_racct->prr_name) == 0)
return;
[..]
=============================
How to reproduce:
jail -c persist=1
jail -n 1 -m persist=0
or
jail -c path=/ command=/usr/bin/true
This causes panic:
Fatal trap 12: page fault while in kernel mode
cpuid = 1; apic id = 01
fault virtual address = 0xffffff8000e37010
fault code = supervisor read data, page not present
instruction pointer = 0x20:0xffffffff80562e0b
stack pointer = 0x28:0xffffff807c995830
frame pointer = 0x28:0xffffff807c995ad0
code segment = base 0x0, limit 0xfffff, type 0x1b
= DPL 0, pres 1, long 1, def32 0, gran 1
processor eflags = interrupt enabled, resume, IOPL = 0
current process = 23244 (jail)
[ thread pid 23244 tid 100077 ]
Stopped at kern_jail_set+0x2dfb: movslq 0x10(%r13),%r12
db> bt
Tracing pid 23244 tid 100077 td 0xfffffe0003075490
kern_jail_set() at kern_jail_set+0x2dfb
sys_jail_set() at sys_jail_set+0x62
amd64_syscall() at amd64_syscall+0x29e
Xfast_syscall() at Xfast_syscall+0xf7
--- syscall (507, FreeBSD ELF64, sys_jail_set), rip = 0x800ed9bdc, rsp = 0x7fffffffd718, rbp = 0x7fffff
ffd790 ---
Proposed trivial patch:
http://student.agh.edu.pl/~mjguzik/patches/jail-use-after-free.patch
--
Mateusz Guzik <mjguzik gmail.com>
More information about the freebsd-jail
mailing list