Launching a linux binary like tcsh as the initial command from jail(8) seem to cause system reboot. Second occurence is that in some circumstances _within_ jail(8) executing linux binary cause the system to reboot in the same way. Because the machine in question is a remote. I have not watched console while this happends. I suspect this bug could be exploited to take over the system or DoS it. Linux binary: bin/tcsh: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.2.0, dynamically linked (uses shared libs), stripped Dmesg excerpt: FreeBSD 6.0-RELEASE #0: Thu Nov 3 09:36:13 UTC 2005 root@x64.samsco.home:/usr/obj/usr/src/sys/GENERIC Timecounter "i8254" frequency 1193182 Hz quality 0 CPU: Pentium Pro (199.74-MHz 686-class CPU) Origin = "GenuineIntel" Id = 0x617 Stepping = 7 Features=0xf9ff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV> real memory = 83881984 (79 MB) avail memory = 72499200 (69 MB) npx0: [FAST] npx0: <math processor> on motherboard npx0: INT 16 interface cpu0 on motherboard Will add to PR when I know more. Hopefully this issue will be remedied in 6.1 Fix: Be careful about linux binaries within jail(8). Don't trust jail(8) security too much. How-To-Repeat: Setup jail(8), use a linux binary as "init". The second occurence is probably when I put linux system files. And then chroot to it within jail.
Responsible Changed From-To: freebsd-bugs->freebsd-emulation Over to maintainer(s).
Hi Peter, > >Description: > Launching a linux binary like tcsh as the initial command from > jail(8) seem to cause system reboot. Second occurence is that in > some circumstances _within_ jail(8) executeing linux binary cause > the system to reboot in the same way. Because the machine in > question is a remote. I have not watched console while this > happends. Can't reproduce on my 6.0-STABLE box and todat HEAD: shy# uname -a FreeBSD shy.macomnet.ru 6.0-STABLE FreeBSD 6.0-STABLE #0: Sun Jan 29 11:21:40 MSK 2006 maxim@shy.macomnet.ru:/usr/obj/usr/src/sys/GENERIC i386 shy# jail / test 127.0.0.1 /compat/linux/bin/bash bash-2.05b# uname -a Linux test 2.4.2 FreeBSD 6.0-STABLE #0: Sun Jan 29 11:21:40 MSK 2006 i586 i586 i386 GNU/Linux bash-2.05b# exit Could you verify that with the latest RELENG_6? -- Maxim Konovalov
Am Sat, 29 Apr 2006 18:10:22 GMT schrieb Maxim Konovalov <maxim@macomnet.ru>: > > >Description: > > Launching a linux binary like tcsh as the initial command from > > jail(8) seem to cause system reboot. Second occurence is that in > > some circumstances _within_ jail(8) executeing linux binary cause > > the system to reboot in the same way. Because the machine in > > question is a remote. I have not watched console while this > > happends. > > Can't reproduce on my 6.0-STABLE box and todat HEAD: Are those linux binaries by any chance static binaries with *no* brandelf of *Linux*? Bye, Alexander. -- http://www.Leidinger.net Alexander @ Leidinger.net GPG fingerprint = C518 BC70 E67F 143F BE91 3365 79E2 9C60 B006 3FE7 WL http://www.amazon.de/exec/obidos/registry/1FZ4DTHQE9PQ8/ref=wl_em_to/
>> >Description: >> Launching a linux binary like tcsh as the initial command from >> jail(8) seem to cause system reboot. Second occurence is that in >> some circumstances _within_ jail(8) executeing linux binary cause >> the system to reboot in the same way. Because the machine in >> question is a remote. I have not watched console while this >> happends. > >Can't reproduce on my 6.0-STABLE box and todat HEAD: > >shy# uname -a >FreeBSD shy.macomnet.ru 6.0-STABLE FreeBSD 6.0-STABLE #0: Sun Jan 29 >11:21:40 MSK 2006 maxim@shy.macomnet.ru:/usr/obj/usr/src/sys/GENERIC i386 >shy# jail / test 127.0.0.1 /compat/linux/bin/bash >bash-2.05b# uname -a >Linux test 2.4.2 FreeBSD 6.0-STABLE #0: Sun Jan 29 11:21:40 MSK 2006 >i586 i586 i386 GNU/Linux >bash-2.05b# exit > >Could you verify that with the latest RELENG_6? I'll have to make a setup for that. Might take some days due other tasks. It might be that I setup the jail tree to not use compat. But rather have a complete linux system tree at jail root. Ie linux files in /bin/ not /compat/linux/bin/ That way when software like Xilinx tries to modify/access /usr/X11R6 files it get's the linux files it expect.
On Sun, Apr 30, 2006 at 03:27:38PM +0200, Peter B wrote: > >> >Description: > >> Launching a linux binary like tcsh as the initial command from > >> jail(8) seem to cause system reboot. Second occurence is that in > >> some circumstances _within_ jail(8) executeing linux binary cause > >> the system to reboot in the same way. Because the machine in > >> question is a remote. I have not watched console while this > >> happends. > > > >Can't reproduce on my 6.0-STABLE box and todat HEAD: > > > >shy# uname -a > >FreeBSD shy.macomnet.ru 6.0-STABLE FreeBSD 6.0-STABLE #0: Sun Jan 29 > >11:21:40 MSK 2006 maxim@shy.macomnet.ru:/usr/obj/usr/src/sys/GENERIC i386 > >shy# jail / test 127.0.0.1 /compat/linux/bin/bash > >bash-2.05b# uname -a > >Linux test 2.4.2 FreeBSD 6.0-STABLE #0: Sun Jan 29 11:21:40 MSK 2006 > >i586 i586 i386 GNU/Linux > >bash-2.05b# exit > > > >Could you verify that with the latest RELENG_6? > > I'll have to make a setup for that. Might take some days due other tasks. > > It might be that I setup the jail tree to not use compat. But rather have > a complete linux system tree at jail root. Ie linux files in /bin/ not > /compat/linux/bin/ It shouldn't matter as long as they are really linux binaries (i.e. brandelf(1) is correct). If they are linux binaries branded as FreeBSD then running them will easily reboot your machine (since one of the common linux syscalls has the same syscall number as reboot(2) on FreeBSD. Kris
State Changed From-To: open->feedback Change severity to non-critical. This can't be reproduced (except for the known case of a mis-branded ELF binary). Wait for feedback/confirmation until closing this PR.
State Changed From-To: feedback->closed Got confirmation that it was a brandelf issue.