200361 – net.inet.tcp.hostcache.list is jail information leak

Bug 200361 - net.inet.tcp.hostcache.list is jail information leak

Summary: net.inet.tcp.hostcache.list is jail information leak

Status:	Closed FIXED

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	kern (show other bugs)
Version:	CURRENT
Hardware:	Any Any

Importance:	--- Affects Many People
Assignee:	Hiren Panchasara

URL:
Keywords:	patch

Depends on:
Blocks:

Reported:	2015-05-21 08:22 UTC by Marcus Reid
Modified:	2017-01-12 01:08 UTC (History)
CC List:	5 users (show)

See Also:

Flags:	op: mfc-stable11? op: mfc-stable10?

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Reid 2015-05-21 08:22:51 UTC

The unlisted sysctl net.inet.tcp.hostcache.list allows a jail to see what hosts the host system and other jails have connections to.

Comment 1 Bjoern A. Zeeb freebsd_committer

2015-05-21 23:16:22 UTC

Not even compile tested but if someone could make sure it does the right thing, that would be great:

(1) base system should always continue to work as-is.
(2) a classic jail should get an "operation not permitted" back on attempting to read.
(3) for VIMAGE kernels, base system see (1), classic jail see (2), and a vnet jail should not change either.

Index: tcp_hostcache.c
===================================================================
--- tcp_hostcache.c     (revision 283272)
+++ tcp_hostcache.c     (working copy)
@@ -69,6 +69,7 @@ __FBSDID("$FreeBSD$");
 
 #include <sys/param.h>
 #include <sys/systm.h>
+#include <sys/jail.h>
 #include <sys/kernel.h>
 #include <sys/lock.h>
 #include <sys/mutex.h>
@@ -608,6 +609,9 @@ sysctl_tcp_hc_list(SYSCTL_HANDLER_ARGS)
        char ip6buf[INET6_ADDRSTRLEN];
 #endif
 
+       if (jailed_without_vnet(curthread->td_cred) != 0)
+               return (EPERM);
+
        sbuf_new(&sb, NULL, linesize * (V_tcp_hostcache.cache_count + 1),
                SBUF_INCLUDENUL);

Comment 2 Marcus Reid 2015-05-22 19:53:50 UTC

/usr/src/sys/netinet/tcp_hostcache.c:612:35: error: incomplete definition of type 'struct thread'
        if (jailed_without_vnet(curthread->td_cred) != 0)
                                ~~~~~~~~~^
/usr/src/sys/sys/systm.h:165:8: note: forward declaration of 'struct thread'
struct thread;
       ^
1 error generated.

Comment 3 Hiren Panchasara freebsd_committer

2016-12-22 19:59:32 UTC

I think you also need to include sys/pcpu.h to get curthread definition.

Can you try the patch with it and see if it does the right thing?

Comment 4 Hiren Panchasara freebsd_committer

2017-01-02 09:08:54 UTC

diff --git a/sys/netinet/tcp_hostcache.c b/sys/netinet/tcp_hostcache.c
index bb2efda..8b1aab5 100644
--- a/sys/netinet/tcp_hostcache.c
+++ b/sys/netinet/tcp_hostcache.c
@@ -69,10 +69,12 @@ __FBSDID("$FreeBSD$");

 #include <sys/param.h>
 #include <sys/systm.h>
+#include <sys/jail.h>
 #include <sys/kernel.h>
 #include <sys/lock.h>
 #include <sys/mutex.h>
 #include <sys/malloc.h>
+#include <sys/pcpu.h>
 #include <sys/sbuf.h>
 #include <sys/socket.h>
 #include <sys/socketvar.h>
@@ -625,6 +627,9 @@ sysctl_tcp_hc_list(SYSCTL_HANDLER_ARGS)
        char ip6buf[INET6_ADDRSTRLEN];
 #endif

+       if (jailed_without_vnet(curthread->td_cred) != 0)
+               return (EPERM);
+
        sbuf_new(&sb, NULL, linesize * (V_tcp_hostcache.cache_count + 1),
                SBUF_INCLUDENUL);

This compiles if anyone wants to test before I can get to it.

Comment 5 Hiren Panchasara freebsd_committer

2017-01-02 09:11:45 UTC

(In reply to Hiren Panchasara from comment #4)
diff --git a/sys/netinet/tcp_hostcache.c b/sys/netinet/tcp_hostcache.c
index bb2efda..d27f2b5 100644
--- a/sys/netinet/tcp_hostcache.c
+++ b/sys/netinet/tcp_hostcache.c
@@ -69,10 +69,12 @@ __FBSDID("$FreeBSD$");

 #include <sys/param.h>
 #include <sys/systm.h>
+#include <sys/jail.h>
 #include <sys/kernel.h>
 #include <sys/lock.h>
 #include <sys/mutex.h>
 #include <sys/malloc.h>
+#include <sys/proc.h>
 #include <sys/sbuf.h>
 #include <sys/socket.h>
 #include <sys/socketvar.h>
@@ -625,6 +627,9 @@ sysctl_tcp_hc_list(SYSCTL_HANDLER_ARGS)
        char ip6buf[INET6_ADDRSTRLEN];
 #endif

+       if (jailed_without_vnet(curthread->td_ucred) != 0)
+               return (EPERM);
+
        sbuf_new(&sb, NULL, linesize * (V_tcp_hostcache.cache_count + 1),
                SBUF_INCLUDENUL);

Correct version that compiles.

Comment 6 Lohith Bellad 2017-01-03 20:07:55 UTC

(In reply to Hiren Panchasara from comment #4)
Sure Hiren. Will test this diff.

Thanks,
Lohith

Comment 7 Lohith Bellad 2017-01-04 07:52:24 UTC

Verified the latest DIFF from hiren. Works as expected. Verified on 10.3-RELEASE.

Thanks,
Lohith

Comment 8 Lohith Bellad 2017-01-05 04:39:38 UTC

Verified the same on 12-CURRENT based jails. It works as expected.

-Lohith

Comment 9 Hiren Panchasara freebsd_committer

2017-01-05 07:21:49 UTC

Thanks Lohith for testing. I've created a review https://reviews.freebsd.org/D9047

Comment 10 commit-hook freebsd_committer

2017-01-05 17:22:49 UTC

A commit references this bug:

Author: hiren
Date: Thu Jan  5 17:22:09 UTC 2017
New revision: 311453
URL: https://svnweb.freebsd.org/changeset/base/311453

Log:
  sysctl net.inet.tcp.hostcache.list in a jail can see connections from other
  jails and the host. This commit fixes it.

  PR:		200361
  Submitted by:	bz (original version), hiren (minor corrections)
  Reported by:	Marcus Reid <marcus at blazingdot dot com>
  Reviewed by:	bz, gnn
  Tested by:	Lohith Bellad <lohithbsd at gmail dot com>
  MFC after:	1 week
  Sponsored by:	Limelight Networks (minor corrections)

Changes:
  head/sys/netinet/tcp_hostcache.c

Comment 11 commit-hook freebsd_committer

2017-01-12 00:51:09 UTC

A commit references this bug:

Author: hiren
Date: Thu Jan 12 00:50:38 UTC 2017
New revision: 311955
URL: https://svnweb.freebsd.org/changeset/base/311955

Log:
  MFC r311453

  sysctl net.inet.tcp.hostcache.list in a jail can see connections from other
  jails and the host. This commit fixes it.

  PR:		200361

Changes:
_U  stable/11/
  stable/11/sys/netinet/tcp_hostcache.c