Page MenuHomeFreeBSD
Differential D40268

inpcb: Properly handle rewrites of classic jail socket source addresses
ClosedPublic
Actions

Authored by markj on May 25 2023, 5:31 PM.
Tags
None
Referenced Files
F82001119: D40268.diff
Wed, Apr 24, 9:14 AM
Unknown Object (File)
Thu, Apr 11, 7:50 PM
Unknown Object (File)
Thu, Apr 11, 7:49 PM
Unknown Object (File)
Wed, Apr 10, 2:30 AM
Unknown Object (File)
Mar 14 2024, 3:29 PM
Unknown Object (File)
Mar 14 2024, 7:32 AM
Unknown Object (File)
Mar 14 2024, 7:32 AM
Unknown Object (File)
Mar 14 2024, 6:26 AM
View All 44 Files
Subscribers
ae
bz
dbaio
imp
melifaro

Details

Reviewers
peter
glebius
bz
Group Reviewers
network
Commits
rGa306ed50ecd5: inpcb: Restore missing validation of local addresses for jailed sockets
Summary

After finding a jailed match, we need to verify that the local IP
address belongs to the match's jail, if any. Otherwise it becomes
possible for jailed process to accept connections on IPs not belonging
to the jail. This can specifically happen for multi-IP classic jails.
In single-IP classic jails, the local address of a listening socket is
always rewritten to be that of the jail.

Test Plan

I did some manual testing, and wrote some regression test cases which
would have uncovered the bugs: https://reviews.freebsd.org/D40269

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped
Build Status
Buildable 51758
Build 48649: arc lint + arc unit

Event Timeline

markj created this revision.May 25 2023, 5:31 PM
Herald added subscribers: melifaro, ae, imp. · View Herald TranscriptMay 25 2023, 5:31 PM
markj requested review of this revision.May 25 2023, 5:31 PM
Harbormaster completed remote builds in B51682: Diff 122426.May 25 2023, 5:31 PM
markj edited the test plan for this revision. (Show Details)May 25 2023, 5:35 PM
markj added a reviewer: network.May 27 2023, 3:23 PM
bz added a subscriber: bz.May 27 2023, 9:22 PM

Jailed sockets with a wildcard local address should have lower priority than non-jailed sockets with a wildcard local address.

Should they? I honestly cannot remember if they should given I haven't really done that in a decade or so given almost all my jailed services get dedicated IPv6 addresses. But I seem to remember that if you tried to ssh to a jail with "overlapping" addresses to the host, you didn't want to accidentally end up on the host (that was the general example used back then).

dbaio added a subscriber: dbaio.May 28 2023, 2:08 PM
markj added a comment.May 29 2023, 3:47 PM
In D40268#917677, @bz wrote:

Jailed sockets with a wildcard local address should have lower priority than non-jailed sockets with a wildcard local address.

Should they? I honestly cannot remember if they should given I haven't really done that in a decade or so given almost all my jailed services get dedicated IPv6 addresses. But I seem to remember that if you tried to ssh to a jail with "overlapping" addresses to the host, you didn't want to accidentally end up on the host (that was the general example used back then).

Thanks, I believe you're right. The problem is limited to the missing checks in in/in6_pcblookup_hash_wild_smr().

markj updated this revision to Diff 122567.May 29 2023, 4:13 PM

Simply restore missing prison_check_ip* calls.

Harbormaster completed remote builds in B51758: Diff 122567.May 29 2023, 4:13 PM
markj edited the summary of this revision. (Show Details)May 29 2023, 4:13 PM
bz accepted this revision.May 30 2023, 12:21 AM
This revision is now accepted and ready to land.May 30 2023, 12:21 AM
Closed by commit rGa306ed50ecd5: inpcb: Restore missing validation of local addresses for jailed sockets (authored by markj). · Explain WhyMay 30 2023, 7:30 PM
This revision was automatically updated to reflect the committed changes.
markj added a commit: rGa306ed50ecd5: inpcb: Restore missing validation of local addresses for jailed sockets.

Revision Contents
Changeset List

PathSize
sys/
netinet/
6 lines
netinet6/
6 lines

Diff 122567

View Options

sys/netinet/in_pcb.c

Loading...
View Options

sys/netinet6/in6_pcb.c

Loading...