Bug 96438 - [linux] Executing a linux binary within jail causes reboot.
Summary: [linux] Executing a linux binary within jail causes reboot.
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: 6.0-RELEASE
Hardware: Any Any
: Normal Affects Only Me
Assignee: freebsd-emulation (Nobody)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2006-04-28 00:50 UTC by Peter
Modified: 2006-05-02 11:52 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Peter 2006-04-28 00:50:19 UTC
Launching a linux binary like tcsh as the initial command from jail(8) seem
to cause system reboot.

Second occurence is that in some circumstances _within_ jail(8) executing
linux binary cause the system to reboot in the same way.  Because the machine
in question is a remote. I have not watched console while this happends.

I suspect this bug could be exploited to take over the system or DoS it.

Linux binary:
bin/tcsh: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for
GNU/Linux 2.2.0, dynamically linked (uses shared libs), stripped

Dmesg excerpt:
FreeBSD 6.0-RELEASE #0: Thu Nov  3 09:36:13 UTC 2005
    root@x64.samsco.home:/usr/obj/usr/src/sys/GENERIC
Timecounter "i8254" frequency 1193182 Hz quality 0
CPU: Pentium Pro (199.74-MHz 686-class CPU)
  Origin = "GenuineIntel"  Id = 0x617  Stepping = 7
  Features=0xf9ff<FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,SEP,MTRR,PGE,MCA,CMOV>
real memory  = 83881984 (79 MB)
avail memory = 72499200 (69 MB)
npx0: [FAST]
npx0: <math processor> on motherboard
npx0: INT 16 interface
cpu0 on motherboard

Will add to PR when I know more. Hopefully this issue will be remedied in 6.1

Fix: 

Be careful about linux binaries within jail(8).
Don't trust jail(8) security too much.
How-To-Repeat: Setup jail(8), use a linux binary as "init".

The second occurence is probably when I put linux system files. And then
chroot to it within jail.
Comment 1 Mark Linimon freebsd_committer freebsd_triage 2006-04-28 01:17:13 UTC
Responsible Changed
From-To: freebsd-bugs->freebsd-emulation

Over to maintainer(s).
Comment 2 Maxim Konovalov 2006-04-29 19:06:00 UTC
Hi Peter,

> >Description:
> Launching a linux binary like tcsh as the initial command from
> jail(8) seem to cause system reboot. Second occurence is that in
> some circumstances _within_ jail(8) executeing linux binary cause
> the system to reboot in the same way. Because the machine in
> question is a remote. I have not watched console while this
> happends.

Can't reproduce on my 6.0-STABLE box and todat HEAD:

shy# uname -a
FreeBSD shy.macomnet.ru 6.0-STABLE FreeBSD 6.0-STABLE #0: Sun Jan 29
11:21:40 MSK 2006     maxim@shy.macomnet.ru:/usr/obj/usr/src/sys/GENERIC  i386
shy# jail / test 127.0.0.1 /compat/linux/bin/bash
bash-2.05b# uname -a
Linux test 2.4.2 FreeBSD 6.0-STABLE #0: Sun Jan 29 11:21:40 MSK 2006
i586 i586 i386 GNU/Linux
bash-2.05b# exit

Could you verify that with the latest RELENG_6?

-- 
Maxim Konovalov
Comment 3 Alexander Leidinger 2006-04-29 23:16:38 UTC
Am Sat, 29 Apr 2006 18:10:22 GMT
schrieb Maxim Konovalov <maxim@macomnet.ru>:

>  > >Description:
>  > Launching a linux binary like tcsh as the initial command from
>  > jail(8) seem to cause system reboot. Second occurence is that in
>  > some circumstances _within_ jail(8) executeing linux binary cause
>  > the system to reboot in the same way. Because the machine in
>  > question is a remote. I have not watched console while this
>  > happends.
>  
>  Can't reproduce on my 6.0-STABLE box and todat HEAD:

Are those linux binaries by any chance static binaries with *no*
brandelf of *Linux*?

Bye,
Alexander.

-- 
http://www.Leidinger.net                       Alexander @ Leidinger.net
  GPG fingerprint = C518 BC70 E67F 143F BE91  3365 79E2 9C60 B006 3FE7
WL http://www.amazon.de/exec/obidos/registry/1FZ4DTHQE9PQ8/ref=wl_em_to/
Comment 4 Peter 2006-04-30 14:27:38 UTC
>> >Description:
>> Launching a linux binary like tcsh as the initial command from
>> jail(8) seem to cause system reboot. Second occurence is that in
>> some circumstances _within_ jail(8) executeing linux binary cause
>> the system to reboot in the same way. Because the machine in
>> question is a remote. I have not watched console while this
>> happends.
>
>Can't reproduce on my 6.0-STABLE box and todat HEAD:
>
>shy# uname -a
>FreeBSD shy.macomnet.ru 6.0-STABLE FreeBSD 6.0-STABLE #0: Sun Jan 29
>11:21:40 MSK 2006     maxim@shy.macomnet.ru:/usr/obj/usr/src/sys/GENERIC  i386
>shy# jail / test 127.0.0.1 /compat/linux/bin/bash
>bash-2.05b# uname -a
>Linux test 2.4.2 FreeBSD 6.0-STABLE #0: Sun Jan 29 11:21:40 MSK 2006
>i586 i586 i386 GNU/Linux
>bash-2.05b# exit
>
>Could you verify that with the latest RELENG_6?

I'll have to make a setup for that. Might take some days due other tasks.

It might be that I setup the jail tree to not use compat. But rather have
a complete linux system tree at jail root. Ie linux files in /bin/ not
/compat/linux/bin/

That way when software like Xilinx tries to modify/access /usr/X11R6 files it
get's the linux files it expect.
Comment 5 Kris Kennaway 2006-04-30 22:00:11 UTC
On Sun, Apr 30, 2006 at 03:27:38PM +0200, Peter B wrote:
> >> >Description:
> >> Launching a linux binary like tcsh as the initial command from
> >> jail(8) seem to cause system reboot. Second occurence is that in
> >> some circumstances _within_ jail(8) executeing linux binary cause
> >> the system to reboot in the same way. Because the machine in
> >> question is a remote. I have not watched console while this
> >> happends.
> >
> >Can't reproduce on my 6.0-STABLE box and todat HEAD:
> >
> >shy# uname -a
> >FreeBSD shy.macomnet.ru 6.0-STABLE FreeBSD 6.0-STABLE #0: Sun Jan 29
> >11:21:40 MSK 2006     maxim@shy.macomnet.ru:/usr/obj/usr/src/sys/GENERIC  i386
> >shy# jail / test 127.0.0.1 /compat/linux/bin/bash
> >bash-2.05b# uname -a
> >Linux test 2.4.2 FreeBSD 6.0-STABLE #0: Sun Jan 29 11:21:40 MSK 2006
> >i586 i586 i386 GNU/Linux
> >bash-2.05b# exit
> >
> >Could you verify that with the latest RELENG_6?
> 
> I'll have to make a setup for that. Might take some days due other tasks.
> 
> It might be that I setup the jail tree to not use compat. But rather have
> a complete linux system tree at jail root. Ie linux files in /bin/ not
> /compat/linux/bin/


It shouldn't matter as long as they are really linux binaries
(i.e. brandelf(1) is correct).  If they are linux binaries branded as
FreeBSD then running them will easily reboot your machine (since one
of the common linux syscalls has the same syscall number as reboot(2)
on FreeBSD.

Kris
Comment 6 Alexander Leidinger freebsd_committer freebsd_triage 2006-05-01 12:48:17 UTC
State Changed
From-To: open->feedback

Change severity to non-critical. This can't be reproduced (except for 
the known case of a mis-branded ELF binary). 

Wait for feedback/confirmation until closing this PR.
Comment 7 Alexander Leidinger freebsd_committer freebsd_triage 2006-05-02 11:52:22 UTC
State Changed
From-To: feedback->closed

Got confirmation that it was a brandelf issue.