Overview -------- Jail utility can crash in jailparam_free(), not sure if it's an issue with jail passing bad inputs or something in libjail and jailparam_free() Steps to Reproduce ------------------ # jail -c name=test persist vnet # jail -m name=jail vnet vnet.interface=vmx0 Actual Results -------------- Segmentation fault (core dumped) Expected Results ---------------- Doesn't core Build Date & Hardware --------------------- FreeBSD freebsd 13.0-RELEASE FreeBSD 13.0-RELEASE #7 releng/13.0-n244733-ea31abc261f-dirty: Wed Jul 21 14:53:10 UTC 2021 jcaplan@freebsd:/usr/obj/usr/src/amd64.amd64/sys/DEBUG amd64
I see the problem. In the check for non-changeable parameters, it's trying to dereference the value of vnet. There's code to catch boolean parameters with implicit values, but it misses vnet which isn't a true boolean. Working on making a hideous-looking if statement even worse...
Created attachment 232681 [details] Properly detect value-less parameters in rdtun_params This seems to do the trick, as well as making the code a touch more readable. It now not only works for boolean parameters, but "jailsys" parameters like vnet, and string parameters like path. Any of these might have no value set, and would have crashed there. This is a long-standing bug, with code from the beginning of the second-gen jails. I guess not many people run things the way you did, though it's perfectly valid.
Fixed in 490b09f240065d7ef61f68ec1bf134d729cfad28. Oops, I forgot to mention this bug in the commit - I'll try to remember on an MFC.
A commit in branch stable/13 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=c1576434e9cf9c48b4d3975717c9f6cc6427cfd9 commit c1576434e9cf9c48b4d3975717c9f6cc6427cfd9 Author: Jamie Gritton <jamie@FreeBSD.org> AuthorDate: 2022-03-26 02:16:51 +0000 Commit: Jamie Gritton <jamie@FreeBSD.org> CommitDate: 2022-03-28 23:39:54 +0000 mfc jail: handle jailsys parameters in modification permission test Avoid a null dereference when a value-less jailsys parameter is passed to "jail -m". There was already code to handle boolean parameters, but in reality any parameter could be passed without a value. PR: 262471 Reported by: jcaplan at blackberry.com (cherry picked from commit 8f1543785f77086494c73310ba8f5d09b61ff7eb) usr.sbin/jail/jail.c | 32 ++++++++++++++++++++++---------- 1 file changed, 22 insertions(+), 10 deletions(-)
A commit in branch stable/12 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=f059a2c832f8cff0d3c0db142a3216b13b4c0480 commit f059a2c832f8cff0d3c0db142a3216b13b4c0480 Author: Jamie Gritton <jamie@FreeBSD.org> AuthorDate: 2022-03-26 02:16:51 +0000 Commit: Jamie Gritton <jamie@FreeBSD.org> CommitDate: 2022-03-28 23:41:12 +0000 mfc jail: handle jailsys parameters in modification permission test Avoid a null dereference when a value-less jailsys parameter is passed to "jail -m". There was already code to handle boolean parameters, but in reality any parameter could be passed without a value. PR: 262471 Reported by: jcaplan at blackberry.com (cherry picked from commit 8f1543785f77086494c73310ba8f5d09b61ff7eb) usr.sbin/jail/jail.c | 32 ++++++++++++++++++++++---------- 1 file changed, 22 insertions(+), 10 deletions(-)