From nobody@FreeBSD.org  Wed Aug 13 07:07:29 2008
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 118491065671
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 13 Aug 2008 07:07:29 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id E873C8FC13
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 13 Aug 2008 07:07:28 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.2/8.14.2) with ESMTP id m7D77ST5012641
	for <freebsd-gnats-submit@FreeBSD.org>; Wed, 13 Aug 2008 07:07:28 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.2/8.14.1/Submit) id m7D77SJr012640;
	Wed, 13 Aug 2008 07:07:28 GMT
	(envelope-from nobody)
Message-Id: <200808130707.m7D77SJr012640@www.freebsd.org>
Date: Wed, 13 Aug 2008 07:07:28 GMT
From: Vedad KAJTAZ <vedad@kajtaz.net>
To: freebsd-gnats-submit@FreeBSD.org
Subject: Established connections from other IP's appear in jail's netstat output
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         126493
>Category:       kern
>Synopsis:       [jail] Established connections from other IP's appear in jail's netstat output
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    secteam
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Aug 13 07:10:09 UTC 2008
>Closed-Date:    Sat Aug 30 16:54:50 UTC 2008
>Last-Modified:  Sat Aug 30 17:00:00 UTC 2008
>Originator:     Vedad KAJTAZ
>Release:        7.0-RELEASE-p2
>Organization:
>Environment:
FreeBSD ike.osilex.net 7.0-RELEASE-p2 FreeBSD 7.0-RELEASE-p2 #0: Wed Jun 18 07:33:20 UTC 2008     root@i386-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  i386

>Description:
A jail running with IP1 can sometimes see established connections between IP2 (used by an other jail) and a remote host, in it's netstat output.

In my case:

wendy.osilex.net is a jail that was assigned IP 87.98.200.163
ike.osilex.net is a jail that was assigned IP 87.98.200.164

[root@ike /]$ netstat -n
netstat: kvm not available: /dev/mem: No such file or directory
Active Internet connections
Proto Recv-Q Send-Q  Local Address          Foreign Address        (state)
tcp4       0      0  87.98.200.163.25       85.237.44.155.4245     SYN_RCVD


>How-To-Repeat:
Don't know
>Fix:
Don't know

>Release-Note:
>Audit-Trail:

From: "Bjoern A. Zeeb" <bz@FreeBSD.org>
To: Vedad KAJTAZ <vedad@kajtaz.net>
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: kern/126493: Established connections from other IP's appear in
 jail's netstat output
Date: Wed, 13 Aug 2008 13:08:43 +0000 (UTC)

 On Wed, 13 Aug 2008, Vedad KAJTAZ wrote:
 
 >> Description:
 > A jail running with IP1 can sometimes see established connections between IP2 (used by an other jail) and a remote host, in it's netstat output.
 >
 > In my case:
 >
 > wendy.osilex.net is a jail that was assigned IP 87.98.200.163
 > ike.osilex.net is a jail that was assigned IP 87.98.200.164
 >
 > [root@ike /]$ netstat -n
 > netstat: kvm not available: /dev/mem: No such file or directory
 > Active Internet connections
 > Proto Recv-Q Send-Q  Local Address          Foreign Address        (state)
 > tcp4       0      0  87.98.200.163.25       85.237.44.155.4245     SYN_RCVD
 
 Are you sure you are not inside wendy running your test?
 
 -- 
 Bjoern A. Zeeb              Stop bit received. Insert coin for new game.

From: Vedad KAJTAZ <vedad@kajtaz.net>
To: "Bjoern A. Zeeb" <bz@FreeBSD.org>
Cc: freebsd-gnats-submit@FreeBSD.org
Subject: Re: kern/126493: Established connections from other IP's appear in
 jail's netstat output
Date: Wed, 13 Aug 2008 15:46:18 +0200

 Bjoern A. Zeeb a crit :
 > On Wed, 13 Aug 2008, Vedad KAJTAZ wrote:
 > 
 >>> Description:
 >> A jail running with IP1 can sometimes see established connections 
 >> between IP2 (used by an other jail) and a remote host, in it's netstat 
 >> output.
 >>
 >> In my case:
 >>
 >> wendy.osilex.net is a jail that was assigned IP 87.98.200.163
 >> ike.osilex.net is a jail that was assigned IP 87.98.200.164
 >>
 >> [root@ike /]$ netstat -n
 >> netstat: kvm not available: /dev/mem: No such file or directory
 >> Active Internet connections
 >> Proto Recv-Q Send-Q  Local Address          Foreign Address        
 >> (state)
 >> tcp4       0      0  87.98.200.163.25       85.237.44.155.4245     
 >> SYN_RCVD
 > 
 > Are you sure you are not inside wendy running your test?
 > 
 
 Hi,
 
 Yes, i'm totally sure. That is why I also pasted the shell prompt line 
 into the report.
 
 Here is an other example:
 
 [root@ike vhosts]$ netstat -n -a
 netstat: kvm not available: /dev/mem: No such file or directory
 Active Internet connections (including servers)
 Proto Recv-Q Send-Q  Local Address          Foreign Address        (state)
 tcp4       0      0  87.98.200.163.110      213.41.184.164.21138   SYN_RCVD
 tcp4       0      0  87.98.200.164.443      *.*                    LISTEN
 tcp4       0      0  87.98.200.164.80       *.*                    LISTEN
 tcp4       0      0  87.98.200.164.21       *.*                    LISTEN
 
 
 Above you can see both IP's in a single netstat output.
 
 And yes, ike (.164) is a jail:
 
 [root@ike vhosts]$ sysctl -a | grep jailed
 security.jail.jailed: 1
 
 
 Btw, after doing a lot of netstats on "ike", it appears that connections 
 from other IP's become visible only when they're *not* in 
 ESTABLISHED/LISTEN state (wendy, .163, is a smtp/imap server, it has 
 average 2+ connections per second).
 
 Also note that there was some kind of leak that made killing "wendy" 
 jail impossible some time ago, therefore wendy now appears twice in 
 "jls" output on the host (kenny) system. It might be somehow related:
 
 [root@kenny ~]$ jls
     JID  IP Address      Hostname                      Path
      31  87.98.200.164   ike.osilex.net                /usr/local/jails/ike
      25  87.98.200.163   wendy.osilex.net 
 /usr/local/jails/wendy
      22  87.98.200.163   wendy.osilex.net 
 /usr/local/jails/wendy
 
 (3 other jails snipped)
 
 Hope this helps,
 
 Best regards,
 
 -- 
 Vedad KAJTAZ
 Conseil en systmes informatiques
 
 vedad@kajtaz.net
 http://vedad.kajtaz.net/
 8 Av. du Prsident Roosevelt
 94120 Fontenay-sous-bois, FRANCE
 GSM: +33 6 74 89 32 12
Responsible-Changed-From-To: freebsd-bugs->secteam 
Responsible-Changed-By: bz 
Responsible-Changed-When: Wed Aug 13 17:09:37 UTC 2008 
Responsible-Changed-Why:  
unexpected information leak in jails/an advertised security feature. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=126493 
State-Changed-From-To: open->analyzed 
State-Changed-By: bz 
State-Changed-When: Mon Aug 18 11:50:35 UTC 2008 
State-Changed-Why:  
Discussed with rwatson and identified the problem. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=126493 

From: "Bjoern A. Zeeb" <bz@FreeBSD.org>
To: bug-followup@FreeBSD.org, vedad@kajtaz.net
Cc:  
Subject: Re: kern/126493: [jail] Established connections from other IP's
 appear in jail's netstat output
Date: Thu, 21 Aug 2008 06:34:33 +0000 (UTC)

   This message is in MIME format.  The first part should be readable text,
   while the remaining parts are likely unreadable without MIME-aware tools.
 
 --0-45265598-1219300473=:66593
 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
 
 Hi,
 
 does the attached patch fix this for you?
 
 
 /bz
 
 -- 
 Bjoern A. Zeeb              Stop bit received. Insert coin for new game.
 --0-45265598-1219300473=:66593
 Content-Type: TEXT/PLAIN; charset=US-ASCII; name=pr-126493.diff
 Content-Transfer-Encoding: BASE64
 Content-ID: <20080821063433.Q66593@maildrop.int.zabbadoz.net>
 Content-Description: PR kern/126493 patch
 Content-Disposition: attachment; filename=pr-126493.diff
 
 PT09PSAvL2RlcG90L3ZlbmRvci9mcmVlYnNkL3NyYy9zeXMvbmV0aW5ldC90
 Y3Bfc3luY2FjaGUuYyMxNTEgLSAvaG9tZS9iei93b3Jrc3BhY2UtZnJlZWJz
 ZC9wNC92ZW5kb3JfZnJlZWJzZC9zeXMvbmV0aW5ldC90Y3Bfc3luY2FjaGUu
 YyA9PT09DQotLS0gL3RtcC90bXAuMTEyNC4wCVdlZCBBdWcgMjAgMTc6MjI6
 MjkgMjAwOA0KKysrIC9ob21lL2J6L3dvcmtzcGFjZS1mcmVlYnNkL3A0L3Zl
 bmRvcl9mcmVlYnNkL3N5cy9uZXRpbmV0L3RjcF9zeW5jYWNoZS5jCVdlZCBB
 dWcgMjAgMTc6MTM6MTggMjAwOA0KQEAgLTUzLDYgKzUzLDcgQEAgX19GQlNE
 SUQoIiRGcmVlQlNEOiBzcmMvc3lzL25ldGluZXQvdGNwXw0KICNpbmNsdWRl
 IDxzeXMvc29ja2V0Lmg+DQogI2luY2x1ZGUgPHN5cy9zb2NrZXR2YXIuaD4N
 CiAjaW5jbHVkZSA8c3lzL3N5c2xvZy5oPg0KKyNpbmNsdWRlIDxzeXMvdWNy
 ZWQuaD4NCiAjaW5jbHVkZSA8c3lzL3ZpbWFnZS5oPg0KIA0KICNpbmNsdWRl
 IDx2bS91bWEuaD4NCkBAIC0xNDMsNiArMTQ0LDcgQEAgc3RydWN0IHN5bmNh
 Y2hlIHsNCiAJc3RydWN0IHRvZV91c3JyZXFzICpzY190dTsJCS8qIFRPRSBv
 cGVyYXRpb25zICovDQogCXZvaWQgCQkqc2NfdG9lcGNiOwkJLyogVE9FIHBy
 b3RvY29sIGJsb2NrICovDQogI2VuZGlmCQkJDQorCXN0cnVjdCB1Y3JlZAkq
 c2NfY3JlZDsNCiAjaWZkZWYgTUFDDQogCXN0cnVjdCBsYWJlbAkqc2NfbGFi
 ZWw7CQkvKiBNQUMgbGFiZWwgcmVmZXJlbmNlICovDQogI2VuZGlmDQpAQCAt
 MjY0LDYgKzI2Niw4IEBAIHN5bmNhY2hlX2ZyZWUoc3RydWN0IHN5bmNhY2hl
 ICpzYykNCiB7DQogCWlmIChzYy0+c2NfaXBvcHRzKQ0KIAkJKHZvaWQpIG1f
 ZnJlZShzYy0+c2NfaXBvcHRzKTsNCisJaWYgKHNjLT5zY19jcmVkKQ0KKwkJ
 Y3JmcmVlKHNjLT5zY19jcmVkKTsNCiAjaWZkZWYgTUFDDQogCW1hY19zeW5j
 YWNoZV9kZXN0cm95KCZzYy0+c2NfbGFiZWwpOw0KICNlbmRpZg0KQEAgLTEx
 NTAsNiArMTE1NCw3IEBAIF9zeW5jYWNoZV9hZGQoc3RydWN0IGluX2Nvbm5p
 bmZvICppbmMsIHMNCiAjaWZkZWYgTUFDDQogCXNjLT5zY19sYWJlbCA9IG1h
 Y2xhYmVsOw0KICNlbmRpZg0KKwlzYy0+c2NfY3JlZCA9IGNyaG9sZChzby0+
 c29fY3JlZCk7DQogCXNjLT5zY19pcG9wdHMgPSBpcG9wdHM7DQogCXNjLT5z
 Y19pbmMuaW5jX2ZpYm51bSA9IGlucC0+aW5wX2luYy5pbmNfZmlibnVtOw0K
 IAliY29weShpbmMsICZzYy0+c2NfaW5jLCBzaXplb2Yoc3RydWN0IGluX2Nv
 bm5pbmZvKSk7DQpAQCAtMTc2MSw2ICsxNzgwLDggQEAgc3luY2FjaGVfcGNi
 bGlzdChzdHJ1Y3Qgc3lzY3RsX3JlcSAqcmVxLA0KIAkJCQlTQ0hfVU5MT0NL
 KHNjaCk7DQogCQkJCWdvdG8gZXhpdDsNCiAJCQl9DQorCQkJaWYgKGNyX2Nh
 bnNlZShyZXEtPnRkLT50ZF91Y3JlZCwgc2MtPnNjX2NyZWQpICE9IDApDQor
 CQkJCWNvbnRpbnVlOw0KIAkJCWJ6ZXJvKCZ4dCwgc2l6ZW9mKHh0KSk7DQog
 CQkJeHQueHRfbGVuID0gc2l6ZW9mKHh0KTsNCiAJCQlpZiAoc2MtPnNjX2lu
 Yy5pbmNfaXNpcHY2KQ0K
 
 --0-45265598-1219300473=:66593--

From: "Bjoern A. Zeeb" <bz@FreeBSD.org>
To: bug-followup@FreeBSD.org, vedad@kajtaz.net
Cc:  
Subject: Re: kern/126493: [jail] Established connections from other IP's
 appear in jail's netstat output
Date: Fri, 22 Aug 2008 19:20:56 +0000 (UTC)

 On Thu, 21 Aug 2008, Bjoern A. Zeeb wrote:
 
 warning; there is a NULL pointer deref with that patch in the current
 version of FreeBSD. I'll commit it to HEAD in a bit and an remove the
 so = NULL; further up in _syncache_add before that.
 
 /bz
 
 -- 
 Bjoern A. Zeeb              Stop bit received. Insert coin for new game.
State-Changed-From-To: analyzed->patched 
State-Changed-By: bz 
State-Changed-When: Sat Aug 23 14:28:01 UTC 2008 
State-Changed-Why:  
Properly patched in HEAD. MFC in a few days. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=126493 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/126493: commit references a PR
Date: Sat, 23 Aug 2008 14:22:42 +0000 (UTC)

 bz          2008-08-23 14:22:12 UTC
 
   FreeBSD src repository
 
   Modified files:
     sys/netinet          tcp_syncache.c 
   Log:
   SVN rev 182056 on 2008-08-23 14:22:12Z by bz
   
   Cache the cred locally in _syncache_add() while holding the locks, so
   we can be sure that it's valid.
   In case we abort early free it again else put it into the syncache.
   
   We need the cred in the syncache to be able to restrict what will be
   exportet by the sysctl helper function syncache_pcblist() (to netstat)
   within jails.
   
   PR:             kern/126493
   Reviewed by:    rwatson (earlier versions)
   MFC after:      3 days
   
   Revision  Changes    Path
   1.154     +12 -0     src/sys/netinet/tcp_syncache.c
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: patched->closed 
State-Changed-By: bz 
State-Changed-When: Sat Aug 30 16:53:47 UTC 2008 
State-Changed-Why:  
Both HEAD and RELENG_7 are fixed. The upcoming 7.1-R will no 
longer show the problem.  Thanks for reporting the bug. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=126493 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/126493: commit references a PR
Date: Sat, 30 Aug 2008 16:50:10 +0000 (UTC)

 bz          2008-08-30 16:49:36 UTC
 
   FreeBSD src repository
 
   Modified files:        (Branch: RELENG_7)
     sys/netinet          tcp_syncache.c 
   Log:
   SVN rev 182482 on 2008-08-30 16:49:36Z by bz
   
   MFC: svn r182056, cvs 1.154 tcp_syncache.c
   
     Cache the cred locally in _syncache_add() while holding the locks, so
     we can be sure that it's valid.
     In case we abort early free it again else put it into the syncache.
   
     We need the cred in the syncache to be able to restrict what will be
     exportet by the sysctl helper function syncache_pcblist() (to netstat)
     within jails.
   
   PR:     kern/126493
   
   Revision    Changes    Path
   1.130.2.15  +12 -0     src/sys/netinet/tcp_syncache.c
 _______________________________________________
 cvs-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/cvs-all
 To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"
 
>Unformatted:
