From nobody@FreeBSD.org  Thu Apr 27 23:43:27 2006
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 53D8E16A401
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 27 Apr 2006 23:43:27 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 20E4D43D46
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 27 Apr 2006 23:43:27 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id k3RNhQeN082707
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 27 Apr 2006 23:43:26 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id k3RNhQQS082705;
	Thu, 27 Apr 2006 23:43:26 GMT
	(envelope-from nobody)
Message-Id: <200604272343.k3RNhQQS082705@www.freebsd.org>
Date: Thu, 27 Apr 2006 23:43:26 GMT
From: Peter <pb@ludd.luth.se>
To: freebsd-gnats-submit@FreeBSD.org
Subject: Executeing a linux binary within jail causes reboot.
X-Send-Pr-Version: www-2.3

>Number:         96438
>Category:       kern
>Synopsis:       [linux] Executing a linux binary within jail causes reboot.
>Confidential:   no
>Severity:       non-critical
>Priority:       high
>Responsible:    freebsd-emulation
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Apr 27 23:50:19 GMT 2006
>Closed-Date:    Tue May 02 10:52:43 GMT 2006
>Last-Modified:  Tue May 02 10:52:43 GMT 2006
>Originator:     Peter
>Release:        6.0-RELEASE #0
>Organization:
>Environment:
FreeBSD f6.my.domain 6.0-RELEASE FreeBSD 6.0-RELEASE #0: Thu Nov  3 09:36:13 UTC 2005     root@x64.samsco.home:/usr/obj/usr/src/sys/GENERIC  i386

>Description:
Launching a linux binary like tcsh as the initial command from jail(8) seem
to cause system reboot.

Second occurence is that in some circumstances _within_ jail(8) executing
linux binary cause the system to reboot in the same way.  Because the machine
in question is a remote. I have not watched console while this happends.

I suspect this bug could be exploited to take over the system or DoS it.

Linux binary:
bin/tcsh: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for
GNU/Linux 2.2.0, dynamically linked (uses shared libs), stripped

Dmesg excerpt:
FreeBSD 6.0-RELEASE #0: Thu Nov  3 09:36:13 UTC 2005
    root@x64.samsco.home:/usr/obj/usr/src/sys/GENERIC
Timecounter "i8254" frequency 1193182 Hz quality 0
CPU: Pentium Pro (199.74-MHz 686-class CPU)
  Origin = "GenuineIntel"  Id = 0x617  Stepping = 7
  Features=0xf9ff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV>
real memory  = 83881984 (79 MB)
avail memory = 72499200 (69 MB)
npx0: [FAST]
npx0: <math processor> on motherboard
npx0: INT 16 interface
cpu0 on motherboard

Will add to PR when I know more. Hopefully this issue will be remedied in 6.1

>How-To-Repeat:
Setup jail(8), use a linux binary as "init".

The second occurence is probably when I put linux system files. And then
chroot to it within jail.


>Fix:
Be careful about linux binaries within jail(8).
Don't trust jail(8) security too much.


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-emulation 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Fri Apr 28 00:17:13 UTC 2006 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=96438 

From: Maxim Konovalov <maxim@macomnet.ru>
To: Peter <pb@ludd.luth.se>
Cc: bug-followup@freebsd.org
Subject: Re: kern/96438: Executeing a linux binary within jail causes reboot.
Date: Sat, 29 Apr 2006 22:06:00 +0400 (MSD)

 Hi Peter,
 
 > >Description:
 > Launching a linux binary like tcsh as the initial command from
 > jail(8) seem to cause system reboot. Second occurence is that in
 > some circumstances _within_ jail(8) executeing linux binary cause
 > the system to reboot in the same way. Because the machine in
 > question is a remote. I have not watched console while this
 > happends.
 
 Can't reproduce on my 6.0-STABLE box and todat HEAD:
 
 shy# uname -a
 FreeBSD shy.macomnet.ru 6.0-STABLE FreeBSD 6.0-STABLE #0: Sun Jan 29
 11:21:40 MSK 2006     maxim@shy.macomnet.ru:/usr/obj/usr/src/sys/GENERIC  i386
 shy# jail / test 127.0.0.1 /compat/linux/bin/bash
 bash-2.05b# uname -a
 Linux test 2.4.2 FreeBSD 6.0-STABLE #0: Sun Jan 29 11:21:40 MSK 2006
 i586 i586 i386 GNU/Linux
 bash-2.05b# exit
 
 Could you verify that with the latest RELENG_6?
 
 -- 
 Maxim Konovalov

From: Alexander Leidinger <Alexander@Leidinger.net>
To: bug-followup@freebsd.org
Cc:  
Subject: Re: kern/96438: Executeing a linux binary within jail causes
 reboot.
Date: Sun, 30 Apr 2006 00:16:38 +0200

 Am Sat, 29 Apr 2006 18:10:22 GMT
 schrieb Maxim Konovalov <maxim@macomnet.ru>:
 
 >  > >Description:
 >  > Launching a linux binary like tcsh as the initial command from
 >  > jail(8) seem to cause system reboot. Second occurence is that in
 >  > some circumstances _within_ jail(8) executeing linux binary cause
 >  > the system to reboot in the same way. Because the machine in
 >  > question is a remote. I have not watched console while this
 >  > happends.
 >  
 >  Can't reproduce on my 6.0-STABLE box and todat HEAD:
 
 Are those linux binaries by any chance static binaries with *no*
 brandelf of *Linux*?
 
 Bye,
 Alexander.
 
 -- 
 http://www.Leidinger.net                       Alexander @ Leidinger.net
   GPG fingerprint = C518 BC70 E67F 143F BE91  3365 79E2 9C60 B006 3FE7
 WL http://www.amazon.de/exec/obidos/registry/1FZ4DTHQE9PQ8/ref=wl_em_to/

From: Peter B <pb@ludd.ltu.se>
To: maxim@macomnet.ru (Maxim Konovalov)
Cc: FreeBSD-gnats-submit@FreeBSD.org, freebsd-bugs@FreeBSD.org
Subject: Re: kern/96438: Executeing a linux binary within jail causes reboot.
Date: Sun, 30 Apr 2006 15:27:38 +0200 (MEST)

 >> >Description:
 >> Launching a linux binary like tcsh as the initial command from
 >> jail(8) seem to cause system reboot. Second occurence is that in
 >> some circumstances _within_ jail(8) executeing linux binary cause
 >> the system to reboot in the same way. Because the machine in
 >> question is a remote. I have not watched console while this
 >> happends.
 >
 >Can't reproduce on my 6.0-STABLE box and todat HEAD:
 >
 >shy# uname -a
 >FreeBSD shy.macomnet.ru 6.0-STABLE FreeBSD 6.0-STABLE #0: Sun Jan 29
 >11:21:40 MSK 2006     maxim@shy.macomnet.ru:/usr/obj/usr/src/sys/GENERIC  i386
 >shy# jail / test 127.0.0.1 /compat/linux/bin/bash
 >bash-2.05b# uname -a
 >Linux test 2.4.2 FreeBSD 6.0-STABLE #0: Sun Jan 29 11:21:40 MSK 2006
 >i586 i586 i386 GNU/Linux
 >bash-2.05b# exit
 >
 >Could you verify that with the latest RELENG_6?
 
 I'll have to make a setup for that. Might take some days due other tasks.
 
 It might be that I setup the jail tree to not use compat. But rather have
 a complete linux system tree at jail root. Ie linux files in /bin/ not
 /compat/linux/bin/
 
 That way when software like Xilinx tries to modify/access /usr/X11R6 files it
 get's the linux files it expect.
 

From: Kris Kennaway <kris@obsecurity.org>
To: Peter B <pb@ludd.ltu.se>
Cc: Maxim Konovalov <maxim@macomnet.ru>, freebsd-bugs@FreeBSD.org,
	FreeBSD-gnats-submit@FreeBSD.org
Subject: Re: kern/96438: Executeing a linux binary within jail causes reboot.
Date: Sun, 30 Apr 2006 17:00:11 -0400

 --EeQfGwPcQSOJBaQU
 Content-Type: text/plain; charset=us-ascii
 Content-Disposition: inline
 Content-Transfer-Encoding: quoted-printable
 
 On Sun, Apr 30, 2006 at 03:27:38PM +0200, Peter B wrote:
 > >> >Description:
 > >> Launching a linux binary like tcsh as the initial command from
 > >> jail(8) seem to cause system reboot. Second occurence is that in
 > >> some circumstances _within_ jail(8) executeing linux binary cause
 > >> the system to reboot in the same way. Because the machine in
 > >> question is a remote. I have not watched console while this
 > >> happends.
 > >
 > >Can't reproduce on my 6.0-STABLE box and todat HEAD:
 > >
 > >shy# uname -a
 > >FreeBSD shy.macomnet.ru 6.0-STABLE FreeBSD 6.0-STABLE #0: Sun Jan 29
 > >11:21:40 MSK 2006     maxim@shy.macomnet.ru:/usr/obj/usr/src/sys/GENERIC=
   i386
 > >shy# jail / test 127.0.0.1 /compat/linux/bin/bash
 > >bash-2.05b# uname -a
 > >Linux test 2.4.2 FreeBSD 6.0-STABLE #0: Sun Jan 29 11:21:40 MSK 2006
 > >i586 i586 i386 GNU/Linux
 > >bash-2.05b# exit
 > >
 > >Could you verify that with the latest RELENG_6?
 >=20
 > I'll have to make a setup for that. Might take some days due other tasks.
 >=20
 > It might be that I setup the jail tree to not use compat. But rather have
 > a complete linux system tree at jail root. Ie linux files in /bin/ not
 > /compat/linux/bin/
 
 It shouldn't matter as long as they are really linux binaries
 (i.e. brandelf(1) is correct).  If they are linux binaries branded as
 FreeBSD then running them will easily reboot your machine (since one
 of the common linux syscalls has the same syscall number as reboot(2)
 on FreeBSD.
 
 Kris
 --EeQfGwPcQSOJBaQU
 Content-Type: application/pgp-signature
 Content-Disposition: inline
 
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1.4.3 (FreeBSD)
 
 iD8DBQFEVSVaWry0BWjoQKURAqZRAJ9UXVOkkn0n9FNK9/6TyUzKo3lifACfW/t1
 MpikXJyKIK/lKPutLgm1cTo=
 =n0hu
 -----END PGP SIGNATURE-----
 
 --EeQfGwPcQSOJBaQU--
State-Changed-From-To: open->feedback 
State-Changed-By: netchild 
State-Changed-When: Mon May 1 11:48:17 UTC 2006 
State-Changed-Why:  
Change severity to non-critical. This can't be reproduced (except for 
the known case of a mis-branded ELF binary). 

Wait for feedback/confirmation until closing this PR. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=96438 
State-Changed-From-To: feedback->closed 
State-Changed-By: netchild 
State-Changed-When: Tue May 2 10:52:22 UTC 2006 
State-Changed-Why:  
Got confirmation that it was a brandelf issue. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=96438 
>Unformatted:
