Bug 242415

Summary: Running any command that interacts with network connections as an underprivileged user panics the OS
Product: Base System Reporter: Shirkdog <mshirk>
Component: kernAssignee: Gleb Smirnoff <glebius>
Status: Closed FIXED    
Severity: Affects Some People CC: bz, emaste, glebius
Priority: --- Keywords: crash, security
Version: CURRENTFlags: koobs: mfc-stable12-
koobs: mfc-stable11-
Hardware: amd64   
OS: Any   
Attachments:
Description Flags
Crash dump from FreeBSD none

Description Shirkdog 2019-12-04 04:02:48 UTC 
Created attachment 209677 [details]
Crash dump from FreeBSD

FreeBSD 13.0-CURRENT #0 r355121: Wed Nov 27 04:20:46 UTC 2019
    root@releng1.nyi.freebsd.org:/usr/obj/usr/src/amd64.amd64/sys/GENERIC

Originally discovered on HardenedBSD, but the issue appears to occur when using pf and running sockstat -4 as a non-root user. I know there has been some recent work to remove locks so I wanted to make sure to log this bug (Crash dump is attached)

<118>Wed Dec  4 03:42:25 UTC 2019
<118>Dec  4 03:42:25 freebsd ntpd[16430]: error resolving pool 0.freebsd.pool.ntp.org: Name does not resolve (8)
<118>Dec  4 03:42:27 freebsd login[37838]: ROOT LOGIN (root) ON ttyu0
lock order reversal: (sleepable after non-sleepable)
 1st 0xfffff80017f327c0 tcpinp (tcpinp) @ /usr/src/sys/netinet/tcp_subr.c:2169
 2nd 0xffffffff81c7e168 sysctl lock (sysctl lock) @ /usr/src/sys/kern/kern_sysctl.c:181
stack backtrace:
#0 0xffffffff80c32a81 at witness_debugger+0x71
#1 0xffffffff80c327f1 at witness_checkorder+0xab1
#2 0xffffffff80bc054b at _rm_rlock_debug+0x13b
#3 0xffffffff80bd59af at sysctl_root_handler_locked+0xcf
#4 0xffffffff80bd4d0a at sysctl_root+0x20a
#5 0xffffffff80bd53bb at userland_sysctl+0x17b
#6 0xffffffff80bd5759 at kern___sysctlbyname+0x219
#7 0xffffffff80bd57ad at sys___sysctlbyname+0x2d
#8 0xffffffff81064846 at amd64_syscall+0x2d6
#9 0xffffffff8103aa70 at fast_syscall_common+0x101
lock order reversal: (sleepable after non-sleepable)
 1st 0xfffff80017f327c0 tcpinp (tcpinp) @ /usr/src/sys/netinet/tcp_subr.c:2169
 2nd 0xfffff80019546070 vm map (user) (vm map (user)) @ /usr/src/sys/vm/vm_map.c:2927
stack backtrace:
#0 0xffffffff80c32a81 at witness_debugger+0x71
#1 0xffffffff80c327f1 at witness_checkorder+0xab1
#2 0xffffffff80bcf687 at _sx_xlock+0x67
#3 0xffffffff80f0f8c8 at vm_map_unwire+0x68
#4 0xffffffff80bd544b at userland_sysctl+0x20b
#5 0xffffffff80bd5759 at kern___sysctlbyname+0x219
#6 0xffffffff80bd57ad at sys___sysctlbyname+0x2d
#7 0xffffffff81064846 at amd64_syscall+0x2d6
#8 0xffffffff8103aa70 at fast_syscall_common+0x101
userret: returning with the following locks held:
shared rw tcpinp (tcpinp) r = 0 (0xfffff80017f327c0) locked @ /usr/src/sys/netinet/tcp_subr.c:2169
shared rw tcpinp (tcpinp) r = 0 (0xfffff80017f325d8) locked @ /usr/src/sys/netinet/tcp_subr.c:2169
shared rw tcpinp (tcpinp) r = 0 (0xfffff80017f32020) locked @ /usr/src/sys/netinet/tcp_subr.c:2169
shared rw tcpinp (tcpinp) r = 0 (0xfffff80017f323f0) locked @ /usr/src/sys/netinet/tcp_subr.c:2169
panic: witness_warn
cpuid = 0
time = 1575430988
KDB: stack backtrace:
db_trace_self_wrapper() at db_trace_self_wrapper+0x2b/frame 0xfffffe00247668f0
vpanic() at vpanic+0x17e/frame 0xfffffe0024766950
panic() at panic+0x43/frame 0xfffffe00247669b0
witness_warn() at witness_warn+0x413/frame 0xfffffe0024766a70
userret() at userret+0xc0/frame 0xfffffe0024766ac0
amd64_syscall() at amd64_syscall+0x543/frame 0xfffffe0024766bf0
fast_syscall_common() at fast_syscall_common+0x101/frame 0xfffffe0024766bf0
--- syscall (2, FreeBSD ELF64, sys_fork), rip = 0x8003ad85a, rsp = 0x7fffffffead8, rbp = 0x7fffffffeb80 ---
KDB: enter: panic



sysctl.conf

#security.bsd.see_other_uids=0
security.bsd.see_other_uids=0
security.bsd.see_other_gids=0
security.bsd.see_jail_proc=0
security.bsd.unprivileged_read_msgbuf=0
security.bsd.unprivileged_proc_debug=0
kern.randompid=1
vfs.zfs.min_auto_ashift=12



rc.conf

clear_tmp_enable="YES"
syslogd_flags="-ss"
sendmail_enable="NONE"
hostname="freebsd"
ifconfig_vtnet0="DHCP"
local_unbound_enable="YES"
sshd_enable="YES"
ntpdate_enable="YES"
ntpd_enable="YES"
# Set dumpdev to "AUTO" to enable crash dumps, "NO" to disable
dumpdev="AUTO"
zfs_enable="YES"
pf_enable="YES"
pflog_enable="YES"
pflog_flags="-s 1500"
ddb_enable="yes"
Comment 1 Shirkdog 2019-12-04 04:20:54 UTC 
I can also make it happen with "systat -netstat all"
Comment 2 Ed Maste freebsd_committer freebsd_triage 2019-12-04 17:34:45 UTC 
Does not happen on a release, so does not need to be private
Comment 3 Ed Maste freebsd_committer freebsd_triage 2019-12-04 20:10:36 UTC 
Shirkdog reports the 11/7 snapshot is fine, 11/14 panics.
sysctl security.bsd.see_other_uids=0 is needed

r354484:

commit 6d3bde7c4ae5b57d4308170a83bdc2edf85ad332
Author: glebius <glebius@FreeBSD.org>
Date:   Thu Nov 7 21:27:32 2019 +0000

    Now that there is no R/W lock on PCB list the pcblist sysctls
    handlers can be greatly simplified.  All the previous double
    cycling and complex locking was added to avoid these functions
    holding global PCB locks for extended period of time, preventing
    addition of new entries.

Notes:
    svn path=/head/; revision=354484
Comment 4 Ed Maste freebsd_committer freebsd_triage 2019-12-04 20:40:06 UTC 
20:15 < Shirkdog> and security.bsd.see_other_gids=0
Comment 5 commit-hook freebsd_committer freebsd_triage 2019-12-04 22:42:08 UTC 
A commit references this bug:

Author: glebius
Date: Wed Dec  4 22:41:53 UTC 2019
New revision: 355405
URL: https://svnweb.freebsd.org/changeset/base/355405

Log:
  Fix regression from r354484.  Don't leak pcb lock if cr_canseeinpcb()
  returns non-zero.

  PR:		242415

Changes:
  head/sys/netinet/tcp_subr.c
Comment 6 Kubilay Kocak freebsd_committer freebsd_triage 2019-12-15 10:50:45 UTC 
(In reply to Ed Maste from comment #2)

^Triage: Re-categorized, thanks Ed.