From nobody@FreeBSD.org  Tue Jun 22 05:06:56 2004
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 7454616A4CE
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 22 Jun 2004 05:06:56 +0000 (GMT)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 5603243D49
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 22 Jun 2004 05:06:56 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.12.11/8.12.11) with ESMTP id i5M56ugW092795
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 22 Jun 2004 05:06:56 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.12.11/8.12.11/Submit) id i5M56uhw092794;
	Tue, 22 Jun 2004 05:06:56 GMT
	(envelope-from nobody)
Message-Id: <200406220506.i5M56uhw092794@www.freebsd.org>
Date: Tue, 22 Jun 2004 05:06:56 GMT
From: Mark Delany <sxcg2-fuwxj@qmda.emu.st>
To: freebsd-gnats-submit@FreeBSD.org
Subject: arp -a discloses non-jail interfaces within a jail
X-Send-Pr-Version: www-2.3

>Number:         68189
>Category:       kern
>Synopsis:       [arp] [jail] [patch] arp -a discloses non-jail interfaces within a jail
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    bz
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jun 22 05:10:21 GMT 2004
>Closed-Date:    Tue Jan 05 12:28:47 UTC 2010
>Last-Modified:  Tue Jan 05 12:28:47 UTC 2010
>Originator:     Mark Delany
>Release:        4.10
>Organization:
>Environment:
FreeBSD f4.norcalsites.com 4.10-STABLE FreeBSD 4.10-STABLE #1: Mon Jun 21 21:23:21 PDT 2004     root@f2.norcalsites.com:/usr/obj/usr/src/sys/norcal-410b  i386

>Description:
If jail is meant to appear as a virtual machine to the prisoner, then
arp -a discloses that it is a jail and what other interfaces are on that system.
>How-To-Repeat:
Create a jail on a multi-homed system and run arp -a. All interfaces that
have an arp entry will be displayed.
>Fix:
      
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->luigi 
Responsible-Changed-By: bms 
Responsible-Changed-When: Tue Jun 22 21:00:33 GMT 2004 
Responsible-Changed-Why:  
Luigi is/was working on the ARP rewrite. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=68189 
State-Changed-From-To: open->analyzed 
State-Changed-By: bms 
State-Changed-When: Tue Jun 22 21:17:37 GMT 2004 
State-Changed-Why:  
About to Cc: GNATS with my analysis 

http://www.freebsd.org/cgi/query-pr.cgi?pr=68189 

From: Bruce M Simpson <bms@spc.org>
To: freebsd-gnats-submit@FreeBSD.org
Cc:  
Subject: Re: kern/68189: arp -a discloses non-jail interfaces within a jail
Date: Tue, 22 Jun 2004 22:18:21 +0100

 The disclosure has been confirmed to exist by at least one user running
 jails.
 
 To resolve this disclosure, either sysctl_rtsock() or sysctl_dumpentry()
 should check if the requesting process is jailed for the NET_RT_FLAGS or
 NET_RT_DUMP cases.
 
 A different code path would no doubt be in use if the ARP rewrite removes
 the RTF_LLINFO routes from the routing table.
 
 regards,
 BMS

From: Uwe Doering <gemini@geminix.org>
To: freebsd-gnats-submit@FreeBSD.org
Cc:  
Subject: Re: kern/68189: arp -a discloses non-jail interfaces within a jail
Date: Thu, 19 Aug 2004 18:19:46 +0200

 This is a multi-part message in MIME format.
 --------------070407060500070207040704
 Content-Type: text/plain; charset=us-ascii; format=flowed
 Content-Transfer-Encoding: 7bit
 
 I took the liberty to look at 'net/rtsock.c', and at least for RELENG_4 
 the fix is trivial.  We just need to make sure that all information the 
 jailed user has access to is the (cloned) host route of that jail's 
 interface.  Everything else is none of his business.  This policy would 
 be in line with the restricted information he can gather through 'ifconfig'.
 
 Please consider adopting the attached patch.  It deals with the 
 underlying information leaks exploitable through both 'arp -a' and 
 'route get'.
 
     Uwe
 -- 
 Uwe Doering         |  EscapeBox - Managed On-Demand UNIX Servers
 gemini@geminix.org  |  http://www.escapebox.net
 
 --------------070407060500070207040704
 Content-Type: text/plain;
  name="rtsock.c.diff"
 Content-Transfer-Encoding: 7bit
 Content-Disposition: inline;
  filename="rtsock.c.diff"
 
 --- src/sys/net/rtsock.c.orig	Tue Jun  8 17:42:28 2004
 +++ src/sys/net/rtsock.c	Wed Aug 18 16:28:47 2004
 @@ -373,6 +373,10 @@
  
  		case RTM_GET:
  		report:
 +			if (curproc->p_prison &&
 +			    ((rt->rt_flags & RTF_HOST) == 0 ||
 +			     prison_if(curproc, rt_key(rt))))
 +				senderr(ESRCH);
  			dst = rt_key(rt);
  			gate = rt->rt_gateway;
  			netmask = rt_mask(rt);
 @@ -388,7 +392,7 @@
  				} else {
  					ifpaddr = 0;
  					ifaaddr = 0;
 -			    }
 +				}
  			}
  			len = rt_msg2(rtm->rtm_type, &info, (caddr_t)0,
  				(struct walkarg *)0);
 @@ -872,6 +876,10 @@
  	struct rt_addrinfo info;
  
  	if (w->w_op == NET_RT_FLAGS && !(rt->rt_flags & w->w_arg))
 +		return 0;
 +	if (curproc->p_prison &&
 +	    ((rt->rt_flags & RTF_HOST) == 0 ||
 +	     prison_if(curproc, rt_key(rt))))
  		return 0;
  	bzero((caddr_t)&info, sizeof(info));
  	dst = rt_key(rt);
 
 --------------070407060500070207040704--
Responsible-Changed-From-To: luigi->bz 
Responsible-Changed-By: rwatson 
Responsible-Changed-When: Wed Jan 30 22:26:05 UTC 2008 
Responsible-Changed-Why:  
Assign to bz, he's been looking at related issues. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=68189 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/68189: commit references a PR
Date: Fri,  9 Jan 2009 21:58:00 +0000 (UTC)

 Author: bz
 Date: Fri Jan  9 21:57:49 2009
 New Revision: 186980
 URL: http://svn.freebsd.org/changeset/base/186980
 
 Log:
   Restrict arp, ndp and theoretically the FIB listing (if not
   read with libkvm) to the addresses of a prison, when inside a
   jail. [1]
   As the patch from the PR was pre-'new-arp', add checks to the
   llt_dump handlers as well.
   
   While touching RTM_GET in route_output(), consistently use
   curthread credentials rather than the creds from the socket
   there. [2]
   
   PR:		kern/68189
   Submitted by:	Mark Delany <sxcg2-fuwxj@qmda.emu.st> [1]
   Discussed with:	rwatson [2]
   Reviewed by:	rwatson
   MFC after:	4 weeks
 
 Modified:
   head/sys/net/rtsock.c
   head/sys/netinet/in.c
   head/sys/netinet6/in6.c
 
 Modified: head/sys/net/rtsock.c
 ==============================================================================
 --- head/sys/net/rtsock.c	Fri Jan  9 21:39:44 2009	(r186979)
 +++ head/sys/net/rtsock.c	Fri Jan  9 21:57:49 2009	(r186980)
 @@ -611,6 +611,12 @@ route_output(struct mbuf *m, struct sock
  		case RTM_GET:
  		report:
  			RT_LOCK_ASSERT(rt);
 +			if (jailed(curthread->td_ucred) &&
 +			    ((rt->rt_flags & RTF_HOST) == 0 ||
 +			    !prison_if(curthread->td_ucred, rt_key(rt)))) {
 +				RT_UNLOCK(rt);
 +				senderr(ESRCH);
 +			}
  			info.rti_info[RTAX_DST] = rt_key(rt);
  			info.rti_info[RTAX_GATEWAY] = rt->rt_gateway;
  			info.rti_info[RTAX_NETMASK] = rt_mask(rt);
 @@ -620,10 +626,10 @@ route_output(struct mbuf *m, struct sock
  				if (ifp) {
  					info.rti_info[RTAX_IFP] =
  					    ifp->if_addr->ifa_addr;
 -					if (jailed(so->so_cred)) {
 +					if (jailed(curthread->td_ucred)) {
  						error = rtm_get_jailed(
  						    &info, ifp, rt, &saun,
 -						    so->so_cred);
 +						    curthread->td_ucred);
  						if (error != 0) {
  							RT_UNLOCK(rt);
  							senderr(ESRCH);
 @@ -1256,6 +1262,10 @@ sysctl_dumpentry(struct radix_node *rn, 
  
  	if (w->w_op == NET_RT_FLAGS && !(rt->rt_flags & w->w_arg))
  		return 0;
 +	if (jailed(w->w_req->td->td_ucred) &&
 +	    ((rt->rt_flags & RTF_HOST) == 0 ||
 +	    !prison_if(w->w_req->td->td_ucred, rt_key(rt))))
 +		return (0);
  	bzero((caddr_t)&info, sizeof(info));
  	info.rti_info[RTAX_DST] = rt_key(rt);
  	info.rti_info[RTAX_GATEWAY] = rt->rt_gateway;
 
 Modified: head/sys/netinet/in.c
 ==============================================================================
 --- head/sys/netinet/in.c	Fri Jan  9 21:39:44 2009	(r186979)
 +++ head/sys/netinet/in.c	Fri Jan  9 21:57:49 2009	(r186980)
 @@ -1201,6 +1201,10 @@ in_lltable_dump(struct lltable *llt, str
  			/* skip deleted entries */
  			if ((lle->la_flags & (LLE_DELETED|LLE_VALID)) != LLE_VALID)
  				continue;
 +			/* Skip if jailed and not a valid IP of the prison. */
 +			if (jailed(wr->td->td_ucred) &&
 +			    !prison_if(wr->td->td_ucred, L3_ADDR(lle)))
 +				continue;
  			/*
  			 * produce a msg made of:
  			 *  struct rt_msghdr;
 
 Modified: head/sys/netinet6/in6.c
 ==============================================================================
 --- head/sys/netinet6/in6.c	Fri Jan  9 21:39:44 2009	(r186979)
 +++ head/sys/netinet6/in6.c	Fri Jan  9 21:57:49 2009	(r186980)
 @@ -2240,6 +2240,10 @@ in6_lltable_dump(struct lltable *llt, st
  			/* skip deleted or invalid entries */
  			if ((lle->la_flags & (LLE_DELETED|LLE_VALID)) != LLE_VALID)
  				continue;
 +			/* Skip if jailed and not a valid IP of the prison. */
 +			if (jailed(wr->td->td_ucred) &&
 +			    !prison_if(wr->td->td_ucred, L3_ADDR(lle)))
 +				continue;
  			/*
  			 * produce a msg made of:
  			 *  struct rt_msghdr;
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: analyzed->patched 
State-Changed-By: bz 
State-Changed-When: Fri Jan 9 22:00:35 UTC 2009 
State-Changed-Why:  
Changes comitted to HEAD. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=68189 

From: "Bjoern A. Zeeb" <bz@FreeBSD.org>
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/68189: [arp] [jail] [patch] arp -a discloses non-jail
 interfaces within a jail
Date: Fri, 9 Jan 2009 22:04:52 +0000 (UTC)

 As I corrected in a follow-up to the commit message:
 
 That should have been: 
 Submitted by:           Uwe Doering <gemini@geminix.org> [1]
 
 -- 
 Bjoern A. Zeeb                      The greatest risk is not taking one.
State-Changed-From-To: patched->closed 
State-Changed-By: bz 
State-Changed-When: Tue Jan 5 12:27:16 UTC 2010 
State-Changed-Why:  
Thanks a lot for reporting, submitting the patch and testing. 
Unfortuntely this cannot be merged back to 6.x anymore without 
breaking other things. 
The changes are in HEAD, stable/8 and 8.0-R and also in 
stable/7 and 7.2-R though and will be part of any other upcoming 
releases from those branches. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=68189 
>Unformatted:
