From nobody@FreeBSD.org  Thu Dec 28 13:22:13 2006
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 3041A16A500
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 28 Dec 2006 13:22:13 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [69.147.83.33])
	by mx1.freebsd.org (Postfix) with ESMTP id 0859713C48C
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 28 Dec 2006 13:22:13 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id kBSDMCBa084359
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 28 Dec 2006 13:22:12 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id kBSDMCdY084358;
	Thu, 28 Dec 2006 13:22:12 GMT
	(envelope-from nobody)
Message-Id: <200612281322.kBSDMCdY084358@www.freebsd.org>
Date: Thu, 28 Dec 2006 13:22:12 GMT
From: Philipp Wuensche<cryx-freebsd@h3q.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: Possible DoS when using the jail_interface option in rc.conf introduced with 6.2
X-Send-Pr-Version: www-3.0

>Number:         107278
>Category:       conf
>Synopsis:       [patch] possible DoS when using the jail_interface option in rc.conf introduced with 6.2
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    simon
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Dec 28 13:30:15 GMT 2006
>Closed-Date:    Sat Mar 17 23:07:23 GMT 2007
>Last-Modified:  Sat Mar 17 23:07:23 GMT 2007
>Originator:     Philipp Wuensche
>Release:        6.2-RC2
>Organization:
>Environment:
FreeBSD deny.h3q.com 6.2-RC2 FreeBSD 6.2-RC2 #18: Sun Dec 24 15:10:47 UTC 2006     root@deny.h3q.com:/usr/obj/usr/src/sys/GENERIC  i386
>Description:
When a jail is configured with the jail_interface option in rc.conf,
rc.d/jail will automaticly configure and unconfigure the ipaddr-alias
for the jail when starting and stopping it.

There is a routine which is called if the jail fails to start which
unconfigures the ipaddr-alias from the network interface. The jail_ip
variables in this routine is wrong and therefore empty, leading to
ifconfig getting called without a specified ipaddr. and therefore
unconfiguring the first ipaddr. of the interface.

This could lead to a DoS attack onto the system from within the jail
removing the first ipaddr. on the network interface. Most of the time,
this ipaddr. is used for access to the FreeBSD system or the
ipaddr-alias used to reach the default-router.

(I already mentioned this to the secteam and we agreed to open just an PR because it is already mentioned on the freebsd-stable and -rc mailinglists.)
>How-To-Repeat:
Configure a jail on a FreeBSD 6.2-RC2 system with at least two
ipaddr-aliases on the network interface, configure this network
interface in the jail_interface option and try to start the jail with an
syntax error within the jails rc.conf.
>Fix:
--- /usr/src/etc/rc.d/jail      Tue Jun  6 15:04:39 2006
+++ /etc/rc.d/jail      Sun Dec 24 13:18:34 2006
@@ -229,7 +229,7 @@
                        else
                                jail_umount_fs
                                if [ -n "${jail_interface}" ]; then
-                                       ifconfig ${jail_interface} -alias ${jail_ip}
+                                       ifconfig ${_interface} -alias ${_ip}
                                fi
                                echo " cannot start jail \"${_jail}\": "
                                tail +2 ${_tmp_jail}
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-rc 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Thu Dec 28 13:39:33 UTC 2006 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=107278 

From: "Simon L. Nielsen" <simon@FreeBSD.org>
To: Philipp Wuensche <cryx-freebsd@h3q.com>
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: conf/107278: [patch] possible DoS when using the jail_interface option in rc.conf introduced with 6.2
Date: Tue, 13 Feb 2007 19:04:33 +0100

 On 2007.02.13 05:21:50 +0100, Philipp Wuensche wrote:
 > Mark Linimon wrote:
 > > Old Synopsis: Possible DoS when using the jail_interface option in rc.conf introduced with 6.2
 > > New Synopsis: [patch] possible DoS when using the jail_interface option in rc.conf introduced with 6.2
 > > 
 > > Responsible-Changed-From-To: freebsd-bugs->freebsd-rc
 > > Responsible-Changed-By: linimon
 > > Responsible-Changed-When: Thu Dec 28 13:39:33 UTC 2006
 > > Responsible-Changed-Why: 
 > > Over to maintainer(s).
 > > 
 > > http://www.freebsd.org/cgi/query-pr.cgi?pr=107278
 > 
 > Discussion got up again on freebsd-stable@ so I wanted to ask why the
 > patch still isn't present in RELENG_6_2?
 
 It didn't make it in before the release, so it requires a Errata
 Notice to get in now.  There are also a few other issues which need
 Errata's so perhaps this can be included then.
 
 -- 
 Simon L. Nielsen
State-Changed-From-To: open->patched 
State-Changed-By: simon 
State-Changed-When: Wed Feb 14 18:37:47 UTC 2007 
State-Changed-Why:  
Fixed in HEAD and RELENG_6.  Need merge to RELENG_6_2. 


Responsible-Changed-From-To: freebsd-rc->simon 
Responsible-Changed-By: simon 
Responsible-Changed-When: Wed Feb 14 18:37:47 UTC 2007 
Responsible-Changed-Why:  
I will handle getting this fixed in RELENG_6_2. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=107278 
State-Changed-From-To: patched->closed 
State-Changed-By: simon 
State-Changed-When: Sat Mar 17 23:06:02 UTC 2007 
State-Changed-Why:  
This was fixed some time ago in RELENG_6_2 as FreeBSD-EN-07:03.rc.d_jail. 

Thanks for the original report and for poking us getting this fixed in 
RELENG_6_2 - sorry about it taking so long. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=107278 
>Unformatted:
