fibs: restrict jail_attach(2) if process fibnum >= numfibs in the jail.
ClosedPublic
Actions

Authored by melifaro on Feb 11 2023, 3:44 PM.

Details

Reviewers

olivier
kp

Group Reviewers

network

Commits

rGed363bbc624e: fibs: restrict jail_attach(2) if process fibnum >= numfibs in the jail.
rG69e7d9b7e6b3: fibs: restrict jail_attach(2) if process fibnum >= numfibs in the jail.

Summary

Currently, process fibnum is not changed in jail_attach(2) and is inherited by the other processes afterwards.
If jail has its own VNET and number of fibs in this VNET is less than in the host system, it can lead to a panic.

This diff checks if the process fibnum is still valid in the new VNET and returns error if that's not true.

Test Plan

Before:

jail -c name=bug persist vnet
sysctl net.fibs=3
setfib 2 jexec bug ping -c 1 1.1.1

PING 1.1.1 (1.1.0.1): 56 data bytes
client_loop: send disconnect: Broken pipe

...
Fatal trap 12: page fault while in kernel mode

After:

jail -c name=bug persist vnet
sysctl net.fibs=3
setfib 2 jexec bug ping -c 1 1.1.1
jexec: jail_attach(1): Operation not permitted

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

melifaro created this revision.Feb 11 2023, 3:44 PM

Herald added subscribers: glebius, ae, imp. · View Herald TranscriptFeb 11 2023, 3:44 PM

melifaro requested review of this revision.Feb 11 2023, 3:44 PM

Harbormaster completed remote builds in B49686: Diff 116984.Feb 11 2023, 3:44 PM

melifaro edited the summary of this revision. (Show Details)Feb 11 2023, 3:56 PM

melifaro edited the test plan for this revision. (Show Details)

melifaro added reviewers: network, olivier.

How is that possible that in your example you got EPERM, but the patch provides EINVAL?

fix errcode.

Harbormaster completed remote builds in B49690: Diff 116989.Feb 11 2023, 4:41 PM

In D38505#876205, @glebius wrote:

How is that possible that in your example you got EPERM, but the patch provides EINVAL?

I forgot to change variable type from bool to int.

kp accepted this revision as: kp.Feb 12 2023, 10:17 AM

kp added a subscriber: kp.

kp added inline comments.

sys/net/route/route_tables.c
176	I worried about races here, but if I'm reading sysctl_fibs() right we can only ever grow V_rt_numfibs, so that should be fine. I might spell this if (td->td_proc->p_fibnum < V_rt_numfibs) error = EINVAL; but that's more a question of preference than a real issue to discuss.

This revision is now accepted and ready to land.Feb 12 2023, 10:17 AM

Fixed the crash here:

setfib 2 jexec bug ping -c 1 1.1.1.1
jexec: jail_attach(1): Invalid argument

melifaro added inline comments.Feb 12 2023, 11:37 AM

sys/net/route/route_tables.c
176	Thank you for the review! I worried about races here, but if I'm reading sysctl_fibs() right we can only ever grow V_rt_numfibs, so that should be fine. Yes, it's indeed grow-only. There are quite a lot of things that need to be handled correctly to permit decreasing `V_rt_numfibs`. I might spell this if (td->td_proc->p_fibnum < V_rt_numfibs) error = EINVAL; Yep, that indeed looks more readable.