From owner-freebsd-security@FreeBSD.ORG Mon Jan 20 11:37:23 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id EC0A199D for ; Mon, 20 Jan 2014 11:37:23 +0000 (UTC) Received: from ak47.hfbk-hamburg.de (ak47.hfbk-hamburg.de [193.174.241.201]) by mx1.freebsd.org (Postfix) with ESMTP id B1EFD11C0 for ; Mon, 20 Jan 2014 11:37:23 +0000 (UTC) Received: from [192.168.66.150] (e179198249.adsl.alicedsl.de [85.179.198.249]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ak47.hfbk-hamburg.de (Postfix) with ESMTPSA id 884703497F for ; Mon, 20 Jan 2014 12:31:07 +0100 (CET) Message-ID: <52DD08F7.1000306@hfbk-hamburg.de> Date: Mon, 20 Jan 2014 12:31:03 +0100 From: sa9k063 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20131103 Icedove/17.0.10 MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: portscans and blackhole Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Jan 2014 11:37:24 -0000 Hello, can someone please explain: one of my boxes gets portscanned often by some likely infected laptops. While having set net.inet.tcp.blackhole=1 there are still messages like +Limiting closed port RST response from 348 to 200 packets/sec appearing. Are these RSTs actually sent out or does this just pop up for some other reason ? This is on 8.4-stable btw. thanks, Tee From owner-freebsd-security@FreeBSD.ORG Mon Jan 20 15:30:38 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A4DC07E; Mon, 20 Jan 2014 15:30:38 +0000 (UTC) Received: from pi.nmdps.net (pi.nmdps.net [109.61.102.5]) by mx1.freebsd.org (Postfix) with ESMTP id 0B4851A84; Mon, 20 Jan 2014 15:30:37 +0000 (UTC) Received: from pi.nmdps.net (localhost [127.0.0.1]) (Authenticated sender: krichy@cflinux.hu) by pi.nmdps.net (Postfix) with ESMTPSA id C467611EF; Mon, 20 Jan 2014 16:30:36 +0100 (CET) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=_e29d732e9be4cf639842cb9d8de74c22" Date: Mon, 20 Jan 2014 16:30:34 +0100 From: krichy@cflinux.hu To: Richard Kojedzinszky Subject: Re: ZFS .zfs DoS In-Reply-To: References: Message-ID: X-Sender: krichy@cflinux.hu User-Agent: Roundcube Webmail/0.9.5 X-Mailman-Approved-At: Mon, 20 Jan 2014 15:56:33 +0000 Cc: freebsd-fs@freebsd.org, freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Jan 2014 15:30:38 -0000 --=_e29d732e9be4cf639842cb9d8de74c22 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=UTF-8; format=flowed Dear users, I've worked out a patch for my known issues, please somebody test them, and give recommendations, fixes. Regards, 2014-01-17 03:11 időpontban Richard Kojedzinszky ezt írta: > Dear users, > > For a long time now I've been investigating problems relating FreeBSD > ZFS .zfs handling, and found that I am not enough to fix issues. Until > fixes arrive, unfortunately a regular user can DoS a FreeBSD system > which has ZFS filesystems with the attached script. While the script > expects a snapshot argument to be given, actually the first test case > does not need that, only a mounted zfs filesystem is enough. For more > of the tests a snapshot may be needed, and later ones need root > account also. > > I would recommend that until this gets rewritten or fixed at all, one > should disable access to .zfs at all with someting like I've attached. > > Regards, > Kojedzinszky Richard --=_e29d732e9be4cf639842cb9d8de74c22 Content-Transfer-Encoding: base64 Content-Type: text/x-diff; name=gfs-4.patch Content-Disposition: attachment; filename=gfs-4.patch; size=11842 Y29tbWl0IGY1NmQ2NTk2Yjc5YzliYTc2ODUxZWU2YmVhMjI1ZjIyY2M5ZjBhMjYKQXV0aG9yOiBS aWNoYXJkIEtvamVkemluc3preSA8a3JpY2h5QGNmbGludXguaHU+CkRhdGU6ICAgRnJpIEphbiAx NyAyMjo1NzozMyAyMDE0ICswMTAwCgogICAgWkZTL0dGUyBoYW5kbGluZyBmaXhlcwoKZGlmZiAt LWdpdCBhL3N5cy9jZGRsL2NvbXBhdC9vcGVuc29sYXJpcy9rZXJuL29wZW5zb2xhcmlzX2xvb2t1 cC5jIGIvc3lzL2NkZGwvY29tcGF0L29wZW5zb2xhcmlzL2tlcm4vb3BlbnNvbGFyaXNfbG9va3Vw LmMKaW5kZXggOTQzODNkNi4uNGNhYzA1MyAxMDA2NDQKLS0tIGEvc3lzL2NkZGwvY29tcGF0L29w ZW5zb2xhcmlzL2tlcm4vb3BlbnNvbGFyaXNfbG9va3VwLmMKKysrIGIvc3lzL2NkZGwvY29tcGF0 L29wZW5zb2xhcmlzL2tlcm4vb3BlbnNvbGFyaXNfbG9va3VwLmMKQEAgLTgxLDYgKzgxLDggQEAg dHJhdmVyc2Uodm5vZGVfdCAqKmN2cHAsIGludCBsa3R5cGUpCiAJICogcHJvZ3Jlc3Mgb24gdGhp cyB2bm9kZS4KIAkgKi8KIAorCXZuX2xvY2soY3ZwLCBsa3R5cGUpOworCiAJZm9yICg7Oykgewog CQkvKgogCQkgKiBSZWFjaGVkIHRoZSBlbmQgb2YgdGhlIG1vdW50IGNoYWluPwpAQCAtODksMTMg KzkxLDcgQEAgdHJhdmVyc2Uodm5vZGVfdCAqKmN2cHAsIGludCBsa3R5cGUpCiAJCWlmICh2ZnNw ID09IE5VTEwpCiAJCQlicmVhazsKIAkJZXJyb3IgPSB2ZnNfYnVzeSh2ZnNwLCAwKTsKLQkJLyoK LQkJICogdHZwIGlzIE5VTEwgZm9yICpjdnBwIHZub2RlLCB3aGljaCB3ZSBjYW4ndCB1bmxvY2su Ci0JCSAqLwotCQlpZiAodHZwICE9IE5VTEwpCi0JCQl2cHV0KGN2cCk7Ci0JCWVsc2UKLQkJCXZy ZWxlKGN2cCk7CisJCVZPUF9VTkxPQ0soY3ZwLCAwKTsKIAkJaWYgKGVycm9yKQogCQkJcmV0dXJu IChlcnJvcik7CiAKQEAgLTEwNyw2ICsxMDMsOSBAQCB0cmF2ZXJzZSh2bm9kZV90ICoqY3ZwcCwg aW50IGxrdHlwZSkKIAkJdmZzX3VuYnVzeSh2ZnNwKTsKIAkJaWYgKGVycm9yICE9IDApCiAJCQly ZXR1cm4gKGVycm9yKTsKKworCQlWTl9SRUxFKGN2cCk7CisKIAkJY3ZwID0gdHZwOwogCX0KIApk aWZmIC0tZ2l0IGEvc3lzL2NkZGwvY29tcGF0L29wZW5zb2xhcmlzL2tlcm4vb3BlbnNvbGFyaXNf dmZzLmMgYi9zeXMvY2RkbC9jb21wYXQvb3BlbnNvbGFyaXMva2Vybi9vcGVuc29sYXJpc192ZnMu YwppbmRleCBhMjUzMmY4Li5jMzAyYTU0IDEwMDY0NAotLS0gYS9zeXMvY2RkbC9jb21wYXQvb3Bl bnNvbGFyaXMva2Vybi9vcGVuc29sYXJpc192ZnMuYworKysgYi9zeXMvY2RkbC9jb21wYXQvb3Bl bnNvbGFyaXMva2Vybi9vcGVuc29sYXJpc192ZnMuYwpAQCAtMTk0LDEwICsxOTQsOCBAQCBtb3Vu dF9zbmFwc2hvdChrdGhyZWFkX3QgKnRkLCB2bm9kZV90ICoqdnBwLCBjb25zdCBjaGFyICpmc3R5 cGUsIGNoYXIgKmZzcGF0aCwKIAkJVklfTE9DSyh2cCk7CiAJCXZwLT52X2lmbGFnICY9IH5WSV9N T1VOVDsKIAkJVklfVU5MT0NLKHZwKTsKLQkJdnJlbGUodnApOwogCQl2ZnNfdW5idXN5KG1wKTsK IAkJdmZzX21vdW50X2Rlc3Ryb3kobXApOwotCQkqdnBwID0gTlVMTDsKIAkJcmV0dXJuIChlcnJv cik7CiAJfQogCkBAIC0yMjgsNyArMjI2LDcgQEAgbW91bnRfc25hcHNob3Qoa3RocmVhZF90ICp0 ZCwgdm5vZGVfdCAqKnZwcCwgY29uc3QgY2hhciAqZnN0eXBlLCBjaGFyICpmc3BhdGgsCiAJdmZz X2V2ZW50X3NpZ25hbChOVUxMLCBWUV9NT1VOVCwgMCk7CiAJaWYgKFZGU19ST09UKG1wLCBMS19F WENMVVNJVkUsICZtdnApKQogCQlwYW5pYygibW91bnQ6IGxvc3QgbW91bnQiKTsKLQl2cHV0KHZw KTsKKwlWT1BfVU5MT0NLKHZwLCAwKTsKIAl2ZnNfdW5idXN5KG1wKTsKIAkqdnBwID0gbXZwOwog CXJldHVybiAoMCk7CmRpZmYgLS1naXQgYS9zeXMvY2RkbC9jb250cmliL29wZW5zb2xhcmlzL3V0 cy9jb21tb24vZnMvZ2ZzLmMgYi9zeXMvY2RkbC9jb250cmliL29wZW5zb2xhcmlzL3V0cy9jb21t b24vZnMvZ2ZzLmMKaW5kZXggNTk5NDRhMS4uMjllYzQ1NCAxMDA2NDQKLS0tIGEvc3lzL2NkZGwv Y29udHJpYi9vcGVuc29sYXJpcy91dHMvY29tbW9uL2ZzL2dmcy5jCisrKyBiL3N5cy9jZGRsL2Nv bnRyaWIvb3BlbnNvbGFyaXMvdXRzL2NvbW1vbi9mcy9nZnMuYwpAQCAtNDQ4LDcgKzQ0OCw2IEBA IGdmc19sb29rdXBfZG90KHZub2RlX3QgKip2cHAsIHZub2RlX3QgKmR2cCwgdm5vZGVfdCAqcHZw LCBjb25zdCBjaGFyICpubSkKIAkJCVZOX0hPTEQocHZwKTsKIAkJCSp2cHAgPSBwdnA7CiAJCX0K LQkJdm5fbG9jaygqdnBwLCBMS19FWENMVVNJVkUgfCBMS19SRVRSWSk7CiAJCXJldHVybiAoMCk7 CiAJfQogCkBAIC00ODUsNiArNDg0LDcgQEAgZ2ZzX2ZpbGVfY3JlYXRlKHNpemVfdCBzaXplLCB2 bm9kZV90ICpwdnAsIHZmc190ICp2ZnNwLCB2bm9kZW9wc190ICpvcHMpCiAJZnAgPSBrbWVtX3ph bGxvYyhzaXplLCBLTV9TTEVFUCk7CiAJZXJyb3IgPSBnZXRuZXd2bm9kZSgiemZzIiwgdmZzcCwg b3BzLCAmdnApOwogCUFTU0VSVChlcnJvciA9PSAwKTsKKwlWTl9MT0NLX0FTSEFSRSh2cCk7CiAJ dm5fbG9jayh2cCwgTEtfRVhDTFVTSVZFIHwgTEtfUkVUUlkpOwogCXZwLT52X2RhdGEgPSAoY2Fk ZHJfdClmcDsKIApAQCAtNDk2LDkgKzQ5Niw5IEBAIGdmc19maWxlX2NyZWF0ZShzaXplX3Qgc2l6 ZSwgdm5vZGVfdCAqcHZwLCB2ZnNfdCAqdmZzcCwgdm5vZGVvcHNfdCAqb3BzKQogCWZwLT5nZnNf c2l6ZSA9IHNpemU7CiAJZnAtPmdmc190eXBlID0gR0ZTX0ZJTEU7CiAKLQl2cC0+dl92ZmxhZyB8 PSBWVl9GT1JDRUlOU01ROworCXZwLT52X3ZmbGFnIHw9IFZWX0ZPUkNFSU5TTVEgfCBWVl9JTlNN UUhFQUQ7CiAJZXJyb3IgPSBpbnNtbnRxdWUodnAsIHZmc3ApOwotCXZwLT52X3ZmbGFnICY9IH5W Vl9GT1JDRUlOU01ROworCXZwLT52X3ZmbGFnICY9IH4oVlZfRk9SQ0VJTlNNUSB8IFZWX0lOU01R SEVBRCk7CiAJS0FTU0VSVChlcnJvciA9PSAwLCAoImluc21udHF1ZSgpIGZhaWxlZDogZXJyb3Ig JWQiLCBlcnJvcikpOwogCiAJLyoKQEAgLTYzNywxMiArNjM3LDcgQEAgZ2ZzX2ZpbGVfaW5hY3Rp dmUodm5vZGVfdCAqdnApCiAJaWYgKGZwLT5nZnNfcGFyZW50ID09IE5VTEwgfHwgKHZwLT52X2Zs YWcgJiBWX1hBVFRSRElSKSkKIAkJZ290byBmb3VuZDsKIAotCS8qCi0JICogWFhYIGNvcGUgd2l0 aCBhIEZyZWVCU0Qtc3BlY2lmaWMgcmFjZSB3aGVyZWluIHRoZSBwYXJlbnQncwotCSAqIHNuYXBz aG90IGRhdGEgY2FuIGJlIGZyZWVkIGJlZm9yZSB0aGUgcGFyZW50IGlzCi0JICovCi0JaWYgKChk cCA9IGZwLT5nZnNfcGFyZW50LT52X2RhdGEpID09IE5VTEwpCi0JCXJldHVybiAoTlVMTCk7CisJ ZHAgPSBmcC0+Z2ZzX3BhcmVudC0+dl9kYXRhOwogCiAJLyoKIAkgKiBGaXJzdCwgc2VlIGlmIHRo aXMgdm5vZGUgaXMgY2FjaGVkIGluIHRoZSBwYXJlbnQuCkBAIC02NjksMzcgKzY2NCw0NCBAQCBm b3VuZDoKIAlpZiAodnAtPnZfZmxhZyAmIFZfWEFUVFJESVIpCiAJCVZJX0xPQ0soZnAtPmdmc19w YXJlbnQpOwogI2VuZGlmCi0JVklfTE9DSyh2cCk7Ci0JLyoKLQkgKiBSZWFsbHkgcmVtb3ZlIHRo aXMgdm5vZGUKLQkgKi8KLQlkYXRhID0gdnAtPnZfZGF0YTsKLQlpZiAoZ2UgIT0gTlVMTCkgewor CWlmICh2cC0+dl9jb3VudCA9PSAwIHx8IHZwLT52X2lmbGFnICYgVklfRE9PTUVEKSB7CiAJCS8q Ci0JCSAqIElmIHRoaXMgd2FzIGEgc3RhdGljYWxseSBjYWNoZWQgZW50cnksIHNpbXBseSBzZXQg dGhlCi0JCSAqIGNhY2hlZCB2bm9kZSB0byBOVUxMLgorCQkgKiBSZWFsbHkgcmVtb3ZlIHRoaXMg dm5vZGUKIAkJICovCi0JCWdlLT5nZnNlX3Zub2RlID0gTlVMTDsKLQl9Ci0JVklfVU5MT0NLKHZw KTsKKwkJZGF0YSA9IHZwLT52X2RhdGE7CisJCWlmIChnZSAhPSBOVUxMKSB7CisJCQkvKgorCQkJ ICogSWYgdGhpcyB3YXMgYSBzdGF0aWNhbGx5IGNhY2hlZCBlbnRyeSwgc2ltcGx5IHNldCB0aGUK KwkJCSAqIGNhY2hlZCB2bm9kZSB0byBOVUxMLgorCQkJICovCisJCQlnZS0+Z2ZzZV92bm9kZSA9 IE5VTEw7CisJCX0KKyNpZmRlZiBUT0RPCisJCWlmICh2cC0+dl9mbGFnICYgVl9YQVRUUkRJUikK KwkJCVZJX1VOTE9DSyhmcC0+Z2ZzX3BhcmVudCk7CisjZW5kaWYKIAotCS8qCi0JICogRnJlZSB2 bm9kZSBhbmQgcmVsZWFzZSBwYXJlbnQKLQkgKi8KLQlpZiAoZnAtPmdmc19wYXJlbnQpIHsKLQkJ aWYgKGRwKQotCQkJZ2ZzX2Rpcl91bmxvY2soZHApOwotCQlWT1BfVU5MT0NLKHZwLCAwKTsKLQkJ Vk5fUkVMRShmcC0+Z2ZzX3BhcmVudCk7Ci0JCXZuX2xvY2sodnAsIExLX0VYQ0xVU0lWRSB8IExL X1JFVFJZKTsKKwkJLyoKKwkJICogRnJlZSB2bm9kZSBhbmQgcmVsZWFzZSBwYXJlbnQKKwkJICov CisJCWlmIChmcC0+Z2ZzX3BhcmVudCkgeworCQkJaWYgKGRwKQorCQkJCWdmc19kaXJfdW5sb2Nr KGRwKTsKKwkJCVZOX1JFTEUoZnAtPmdmc19wYXJlbnQpOworCQl9IGVsc2UgeworCQkJQVNTRVJU KHZwLT52X3Zmc3AgIT0gTlVMTCk7CisJCQlWRlNfUkVMRSh2cC0+dl92ZnNwKTsKKwkJfQogCX0g ZWxzZSB7Ci0JCUFTU0VSVCh2cC0+dl92ZnNwICE9IE5VTEwpOwotCQlWRlNfUkVMRSh2cC0+dl92 ZnNwKTsKLQl9CisJCWRhdGEgPSBOVUxMOwogI2lmZGVmIFRPRE8KLQlpZiAodnAtPnZfZmxhZyAm IFZfWEFUVFJESVIpCi0JCVZJX1VOTE9DSyhmcC0+Z2ZzX3BhcmVudCk7CisJCWlmICh2cC0+dl9m bGFnICYgVl9YQVRUUkRJUikKKwkJCVZJX1VOTE9DSyhmcC0+Z2ZzX3BhcmVudCk7CiAjZW5kaWYK KwkJaWYgKGRwKQorCQkJZ2ZzX2Rpcl91bmxvY2soZHApOworCX0KKwogCXJldHVybiAoZGF0YSk7 CiB9CiAKQEAgLTEyMzAsMTYgKzEyMzIsMTUgQEAgZ2ZzX3ZvcF9pbmFjdGl2ZShhcCkKIHsKIAl2 bm9kZV90ICp2cCA9IGFwLT5hX3ZwOwogCWdmc19maWxlX3QgKmZwID0gdnAtPnZfZGF0YTsKKwl2 b2lkICpkYXRhOwogCiAJaWYgKGZwLT5nZnNfdHlwZSA9PSBHRlNfRElSKQotCQlnZnNfZGlyX2lu YWN0aXZlKHZwKTsKKwkJZGF0YSA9IGdmc19kaXJfaW5hY3RpdmUodnApOwogCWVsc2UKLQkJZ2Zz X2ZpbGVfaW5hY3RpdmUodnApOworCQlkYXRhID0gZ2ZzX2ZpbGVfaW5hY3RpdmUodnApOwogCi0J VklfTE9DSyh2cCk7Ci0JdnAtPnZfZGF0YSA9IE5VTEw7Ci0JVklfVU5MT0NLKHZwKTsKLQlrbWVt X2ZyZWUoZnAsIGZwLT5nZnNfc2l6ZSk7CisJaWYgKGRhdGEgIT0gTlVMTCkKKwkJa21lbV9mcmVl KGRhdGEsIGZwLT5nZnNfc2l6ZSk7CiAKIAlyZXR1cm4gKDApOwogfQpkaWZmIC0tZ2l0IGEvc3lz L2NkZGwvY29udHJpYi9vcGVuc29sYXJpcy91dHMvY29tbW9uL2ZzL3pmcy96ZnNfY3RsZGlyLmMg Yi9zeXMvY2RkbC9jb250cmliL29wZW5zb2xhcmlzL3V0cy9jb21tb24vZnMvemZzL3pmc19jdGxk aXIuYwppbmRleCAyOGFiMWZhLi4xNWE1NWQyIDEwMDY0NAotLS0gYS9zeXMvY2RkbC9jb250cmli L29wZW5zb2xhcmlzL3V0cy9jb21tb24vZnMvemZzL3pmc19jdGxkaXIuYworKysgYi9zeXMvY2Rk bC9jb250cmliL29wZW5zb2xhcmlzL3V0cy9jb21tb24vZnMvemZzL3pmc19jdGxkaXIuYwpAQCAt NjEyLDcgKzYxMiw3IEBAIHpmc2N0bF9mcmVlYnNkX3Jvb3RfbG9va3VwKGFwKQogCiAJZXJyID0g emZzY3RsX3Jvb3RfbG9va3VwKGR2cCwgbm0sIHZwcCwgTlVMTCwgMCwgTlVMTCwgY3IsIE5VTEws IE5VTEwsIE5VTEwpOwogCWlmIChlcnIgPT0gMCAmJiAobm1bMF0gIT0gJy4nIHx8IG5tWzFdICE9 ICdcMCcpKQotCQl2bl9sb2NrKCp2cHAsIExLX0VYQ0xVU0lWRSB8IExLX1JFVFJZKTsKKwkJZXJy ID0gdm5fbG9jaygqdnBwLCBhcC0+YV9jbnAtPmNuX2xrZmxhZ3MpOwogCXJldHVybiAoZXJyKTsK IH0KIApAQCAtOTc1LDggKzk3NSwxMSBAQCB6ZnNjdGxfc25hcGRpcl9sb29rdXAoYXApCiAJWkZT X0VOVEVSKHpmc3Zmcyk7CiAKIAlpZiAoZ2ZzX2xvb2t1cF9kb3QodnBwLCBkdnAsIHpmc3Zmcy0+ el9jdGxkaXIsIG5tKSA9PSAwKSB7CisJCWVyciA9IDA7CisJCWlmIChubVswXSAhPSAnLicgfHwg bm1bMV0gIT0gJ1wwJykKKwkJCWVyciA9IHZuX2xvY2soKnZwcCwgYXAtPmFfY25wLT5jbl9sa2Zs YWdzKTsKIAkJWkZTX0VYSVQoemZzdmZzKTsKLQkJcmV0dXJuICgwKTsKKwkJcmV0dXJuIChlcnIp OwogCX0KIAogCWlmIChmbGFncyAmIEZJR05PUkVDQVNFKSB7CkBAIC0xMDA0LDcgKzEwMDcsNyBA QCB6ZnNjdGxfc25hcGRpcl9sb29rdXAoYXApCiAJaWYgKChzZXAgPSBhdmxfZmluZCgmc2RwLT5z ZF9zbmFwcywgJnNlYXJjaCwgJndoZXJlKSkgIT0gTlVMTCkgewogCQkqdnBwID0gc2VwLT5zZV9y b290OwogCQlWTl9IT0xEKCp2cHApOwotCQllcnIgPSB0cmF2ZXJzZSh2cHAsIExLX0VYQ0xVU0lW RSB8IExLX1JFVFJZKTsKKwkJZXJyID0gdHJhdmVyc2UodnBwLCBhcC0+YV9jbnAtPmNuX2xrZmxh Z3MpOwogCQlpZiAoZXJyICE9IDApIHsKIAkJCVZOX1JFTEUoKnZwcCk7CiAJCQkqdnBwID0gTlVM TDsKQEAgLTEwMTMsNiArMTAxNiw4IEBAIHpmc2N0bF9zbmFwZGlyX2xvb2t1cChhcCkKIAkJCSAq IFRoZSBzbmFwc2hvdCB3YXMgdW5tb3VudGVkIGJlaGluZCBvdXIgYmFja3MsCiAJCQkgKiB0cnkg dG8gcmVtb3VudCBpdC4KIAkJCSAqLworCQkJVk5fSE9MRCgqdnBwKTsKKwkJCVZPUF9VTkxPQ0so KnZwcCwgMCk7CiAJCQlWRVJJRlkoemZzY3RsX3NuYXBzaG90X3puYW1lKGR2cCwgbm0sIE1BWE5B TUVMRU4sIHNuYXBuYW1lKSA9PSAwKTsKIAkJCWdvdG8gZG9tb3VudDsKIAkJfSBlbHNlIHsKQEAg LTEwNjQsNyArMTA2OSw2IEBAIHpmc2N0bF9zbmFwZGlyX2xvb2t1cChhcCkKIAlzZXAtPnNlX25h bWUgPSBrbWVtX2FsbG9jKHN0cmxlbihubSkgKyAxLCBLTV9TTEVFUCk7CiAJKHZvaWQpIHN0cmNw eShzZXAtPnNlX25hbWUsIG5tKTsKIAkqdnBwID0gc2VwLT5zZV9yb290ID0gemZzY3RsX3NuYXBz aG90X21rbm9kZShkdnAsIGRtdV9vYmpzZXRfaWQoc25hcCkpOwotCVZOX0hPTEQoKnZwcCk7CiAJ YXZsX2luc2VydCgmc2RwLT5zZF9zbmFwcywgc2VwLCB3aGVyZSk7CiAKIAlkbXVfb2Jqc2V0X3Jl bGUoc25hcCwgRlRBRyk7CkBAIC0xMDkxLDcgKzEwOTUsNiBAQCBkb21vdW50OgogCW11dGV4X2V4 aXQoJnNkcC0+c2RfbG9jayk7CiAJWkZTX0VYSVQoemZzdmZzKTsKIAotI2lmZGVmIGlsbHVtb3MK IAkvKgogCSAqIElmIHdlIGhhZCBhbiBlcnJvciwgZHJvcCBvdXIgaG9sZCBvbiB0aGUgdm5vZGUg YW5kCiAJICogemZzY3RsX3NuYXBzaG90X2luYWN0aXZlKCkgd2lsbCBjbGVhbiB1cC4KQEAgLTEx MDAsMTAgKzExMDMsNiBAQCBkb21vdW50OgogCQlWTl9SRUxFKCp2cHApOwogCQkqdnBwID0gTlVM TDsKIAl9Ci0jZWxzZQotCWlmIChlcnIgIT0gMCkKLQkJKnZwcCA9IE5VTEw7Ci0jZW5kaWYKIAly ZXR1cm4gKGVycik7CiB9CiAKQEAgLTExMzAsOCArMTEyOSwxMSBAQCB6ZnNjdGxfc2hhcmVzX2xv b2t1cChhcCkKIAlzdHJsY3B5KG5tLCBjbnAtPmNuX25hbWVwdHIsIGNucC0+Y25fbmFtZWxlbiAr IDEpOwogCiAJaWYgKGdmc19sb29rdXBfZG90KHZwcCwgZHZwLCB6ZnN2ZnMtPnpfY3RsZGlyLCBu bSkgPT0gMCkgeworCQllcnJvciA9IDA7CisJCWlmIChubVswXSAhPSAnLicgfHwgbm1bMV0gIT0g J1wwJykKKwkJCWVycm9yID0gdm5fbG9jaygqdnBwLCBhcC0+YV9jbnAtPmNuX2xrZmxhZ3MpOwog CQlaRlNfRVhJVCh6ZnN2ZnMpOwotCQlyZXR1cm4gKDApOworCQlyZXR1cm4gKGVycm9yKTsKIAl9 CiAKIAlpZiAoemZzdmZzLT56X3NoYXJlc19kaXIgPT0gMCkgewpAQCAtMTM0NCwyMiArMTM0Niwx NSBAQCB6ZnNjdGxfc25hcGRpcl9pbmFjdGl2ZShhcCkKIAl2bm9kZV90ICp2cCA9IGFwLT5hX3Zw OwogCXpmc2N0bF9zbmFwZGlyX3QgKnNkcCA9IHZwLT52X2RhdGE7CiAJemZzX3NuYXBlbnRyeV90 ICpzZXA7Ci0KLQkvKgotCSAqIE9uIGZvcmNlZCB1bm1vdW50IHdlIGhhdmUgdG8gZnJlZSBzbmFw c2hvdHMgZnJvbSBoZXJlLgotCSAqLwotCW11dGV4X2VudGVyKCZzZHAtPnNkX2xvY2spOwotCXdo aWxlICgoc2VwID0gYXZsX2ZpcnN0KCZzZHAtPnNkX3NuYXBzKSkgIT0gTlVMTCkgewotCQlhdmxf cmVtb3ZlKCZzZHAtPnNkX3NuYXBzLCBzZXApOwotCQlrbWVtX2ZyZWUoc2VwLT5zZV9uYW1lLCBz dHJsZW4oc2VwLT5zZV9uYW1lKSArIDEpOwotCQlrbWVtX2ZyZWUoc2VwLCBzaXplb2YgKHpmc19z bmFwZW50cnlfdCkpOworCXZvaWQgKnByaXZhdGU7CisKKwlwcml2YXRlID0gZ2ZzX2Rpcl9pbmFj dGl2ZSh2cCk7CisJaWYgKHByaXZhdGUgIT0gTlVMTCkgeworCQlBU1NFUlQoYXZsX251bW5vZGVz KCZzZHAtPnNkX3NuYXBzKSA9PSAwKTsKKwkJbXV0ZXhfZGVzdHJveSgmc2RwLT5zZF9sb2NrKTsK KwkJYXZsX2Rlc3Ryb3koJnNkcC0+c2Rfc25hcHMpOworCQlrbWVtX2ZyZWUocHJpdmF0ZSwgc2l6 ZW9mICh6ZnNjdGxfc25hcGRpcl90KSk7CiAJfQotCW11dGV4X2V4aXQoJnNkcC0+c2RfbG9jayk7 Ci0JZ2ZzX2Rpcl9pbmFjdGl2ZSh2cCk7Ci0JQVNTRVJUKGF2bF9udW1ub2Rlcygmc2RwLT5zZF9z bmFwcykgPT0gMCk7Ci0JbXV0ZXhfZGVzdHJveSgmc2RwLT5zZF9sb2NrKTsKLQlhdmxfZGVzdHJv eSgmc2RwLT5zZF9zbmFwcyk7Ci0Ja21lbV9mcmVlKHNkcCwgc2l6ZW9mICh6ZnNjdGxfc25hcGRp cl90KSk7CiAKIAlyZXR1cm4gKDApOwogfQpAQCAtMTQ0MSw3ICsxNDM2LDYgQEAgemZzY3RsX3Nu YXBzaG90X21rbm9kZSh2bm9kZV90ICpwdnAsIHVpbnQ2NF90IG9ianNldCkKIAogCXZwID0gZ2Zz X2Rpcl9jcmVhdGUoc2l6ZW9mICh6ZnNjdGxfbm9kZV90KSwgcHZwLCBwdnAtPnZfdmZzcCwKIAkg ICAgJnpmc2N0bF9vcHNfc25hcHNob3QsIE5VTEwsIE5VTEwsIE1BWE5BTUVMRU4sIE5VTEwsIE5V TEwpOwotCVZOX0hPTEQodnApOwogCXpjcCA9IHZwLT52X2RhdGE7CiAJemNwLT56Y19pZCA9IG9i anNldDsKIAlWT1BfVU5MT0NLKHZwLCAwKTsKQEAgLTE0NjIsMTggKzE0NTYsMjUgQEAgemZzY3Rs X3NuYXBzaG90X2luYWN0aXZlKGFwKQogCXpmc2N0bF9zbmFwZGlyX3QgKnNkcDsKIAl6ZnNfc25h cGVudHJ5X3QgKnNlcCwgKm5leHQ7CiAJaW50IGxvY2tlZDsKLQl2bm9kZV90ICpkdnA7CisJZ2Zz X2Rpcl90ICpkcCA9IHZwLT52X2RhdGE7CisJdm5vZGVfdCAqZHZwID0gZHAtPmdmc2RfZmlsZS5n ZnNfcGFyZW50OwogCi0JaWYgKHZwLT52X2NvdW50ID4gMCkKLQkJZ290byBlbmQ7Ci0KLQlWRVJJ RlkoZ2ZzX2Rpcl9sb29rdXAodnAsICIuLiIsICZkdnAsIGNyLCAwLCBOVUxMLCBOVUxMKSA9PSAw KTsKKwlWTl9IT0xEKGR2cCk7CisJVk9QX1VOTE9DSyh2cCwgMCk7CiAJc2RwID0gZHZwLT52X2Rh dGE7Ci0JVk9QX1VOTE9DSyhkdnAsIDApOwogCiAJaWYgKCEobG9ja2VkID0gTVVURVhfSEVMRCgm c2RwLT5zZF9sb2NrKSkpCiAJCW11dGV4X2VudGVyKCZzZHAtPnNkX2xvY2spOwogCisJdm5fbG9j ayh2cCwgTEtfRVhDTFVTSVZFIHwgTEtfUkVUUlkpOworCisJaWYgKHZwLT52X2NvdW50ID4gMCkg eworCQlpZiAoIWxvY2tlZCkKKwkJCW11dGV4X2V4aXQoJnNkcC0+c2RfbG9jayk7CisJCVZOX1JF TEUoZHZwKTsKKwkJcmV0dXJuKDApOworCX0KKwogCUFTU0VSVCghdm5faXNtbnRwdCh2cCkpOwog CiAJc2VwID0gYXZsX2ZpcnN0KCZzZHAtPnNkX3NuYXBzKTsKQEAgLTE0OTQsNyArMTQ5NSw2IEBA IHpmc2N0bF9zbmFwc2hvdF9pbmFjdGl2ZShhcCkKIAkJbXV0ZXhfZXhpdCgmc2RwLT5zZF9sb2Nr KTsKIAlWTl9SRUxFKGR2cCk7CiAKLWVuZDoKIAkvKgogCSAqIERpc3Bvc2Ugb2YgdGhlIHZub2Rl IGZvciB0aGUgc25hcHNob3QgbW91bnQgcG9pbnQuCiAJICogVGhpcyBpcyBzYWZlIHRvIGRvIGJl Y2F1c2Ugb25jZSB0aGlzIGVudHJ5IGhhcyBiZWVuIHJlbW92ZWQKQEAgLTE1ODgsNyArMTU4OCw3 IEBAIHpmc2N0bF9zbmFwc2hvdF9sb29rdXAoYXApCiAJZXJyb3IgPSB6ZnNjdGxfcm9vdF9sb29r dXAoemZzdmZzLT56X2N0bGRpciwgInNuYXBzaG90IiwgdnBwLAogCSAgICBOVUxMLCAwLCBOVUxM LCBjciwgTlVMTCwgTlVMTCwgTlVMTCk7CiAJaWYgKGVycm9yID09IDApCi0JCXZuX2xvY2soKnZw cCwgTEtfRVhDTFVTSVZFIHwgTEtfUkVUUlkpOworCQllcnJvciA9IHZuX2xvY2soKnZwcCwgYXAt PmFfY25wLT5jbl9sa2ZsYWdzKTsKIAlyZXR1cm4gKGVycm9yKTsKIH0KIApkaWZmIC0tZ2l0IGEv c3lzL2NkZGwvY29udHJpYi9vcGVuc29sYXJpcy91dHMvY29tbW9uL2ZzL3pmcy96ZnNfdmZzb3Bz LmMgYi9zeXMvY2RkbC9jb250cmliL29wZW5zb2xhcmlzL3V0cy9jb21tb24vZnMvemZzL3pmc192 ZnNvcHMuYwppbmRleCA4ZWI4OTUzLi44ZWE3NjYxIDEwMDY0NAotLS0gYS9zeXMvY2RkbC9jb250 cmliL29wZW5zb2xhcmlzL3V0cy9jb21tb24vZnMvemZzL3pmc192ZnNvcHMuYworKysgYi9zeXMv Y2RkbC9jb250cmliL29wZW5zb2xhcmlzL3V0cy9jb21tb24vZnMvemZzL3pmc192ZnNvcHMuYwpA QCAtMjAzNiwxMiArMjAzNiw3IEBAIHpmc191bW91bnQodmZzX3QgKnZmc3AsIGludCBmZmxhZykK IAkgKi8KIAlpZiAoemZzdmZzLT56X2N0bGRpciAhPSBOVUxMKQogCQl6ZnNjdGxfZGVzdHJveSh6 ZnN2ZnMpOwotCWlmICh6ZnN2ZnMtPnpfaXNzbmFwKSB7Ci0JCXZub2RlX3QgKnN2cCA9IHZmc3At Pm1udF92bm9kZWNvdmVyZWQ7CiAKLQkJaWYgKHN2cC0+dl9jb3VudCA+PSAyKQotCQkJVk5fUkVM RShzdnApOwotCX0KIAl6ZnNfZnJlZXZmcyh2ZnNwKTsKIAogCXJldHVybiAoMCk7CmRpZmYgLS1n aXQgYS9zeXMva2Vybi92ZnNfc3Vici5jIGIvc3lzL2tlcm4vdmZzX3N1YnIuYwppbmRleCA5MWM2 NGEzLi4yOWI2Mzk1IDEwMDY0NAotLS0gYS9zeXMva2Vybi92ZnNfc3Vici5jCisrKyBiL3N5cy9r ZXJuL3Zmc19zdWJyLmMKQEAgLTExOTgsNyArMTE5OCwxMCBAQCBpbnNtbnRxdWUxKHN0cnVjdCB2 bm9kZSAqdnAsIHN0cnVjdCBtb3VudCAqbXAsCiAJfQogCXZwLT52X21vdW50ID0gbXA7CiAJTU5U X1JFRihtcCk7Ci0JVEFJTFFfSU5TRVJUX1RBSUwoJm1wLT5tbnRfbnZub2RlbGlzdCwgdnAsIHZf bm1udHZub2Rlcyk7CisJaWYgKHZwLT52X3ZmbGFnICYgVlZfSU5TTVFIRUFEKQorCQlUQUlMUV9J TlNFUlRfSEVBRCgmbXAtPm1udF9udm5vZGVsaXN0LCB2cCwgdl9ubW50dm5vZGVzKTsKKwllbHNl CisJCVRBSUxRX0lOU0VSVF9UQUlMKCZtcC0+bW50X252bm9kZWxpc3QsIHZwLCB2X25tbnR2bm9k ZXMpOwogCVZOQVNTRVJUKG1wLT5tbnRfbnZub2RlbGlzdHNpemUgPj0gMCwgdnAsCiAJCSgibmVn IG1vdW50IHBvaW50IHZub2RlIGxpc3Qgc2l6ZSIpKTsKIAltcC0+bW50X252bm9kZWxpc3RzaXpl Kys7CmRpZmYgLS1naXQgYS9zeXMvc3lzL3Zub2RlLmggYi9zeXMvc3lzL3Zub2RlLmgKaW5kZXgg YjBjYmNjMC4uOGRmYWUzYSAxMDA2NDQKLS0tIGEvc3lzL3N5cy92bm9kZS5oCisrKyBiL3N5cy9z eXMvdm5vZGUuaApAQCAtMjUzLDYgKzI1Myw3IEBAIHN0cnVjdCB4dm5vZGUgewogI2RlZmluZQlW Vl9ERUxFVEVECTB4MDQwMAkvKiBzaG91bGQgYmUgcmVtb3ZlZCAqLwogI2RlZmluZQlWVl9NRAkJ MHgwODAwCS8qIHZub2RlIGJhY2tzIHRoZSBtZCBkZXZpY2UgKi8KICNkZWZpbmUJVlZfRk9SQ0VJ TlNNUQkweDEwMDAJLyogZm9yY2UgdGhlIGluc21udHF1ZSB0byBzdWNjZWVkICovCisjZGVmaW5l CVZWX0lOU01RSEVBRAkweDIwMDAJLyogaW5zZXJ0IGluc3RlYWQgb2YgYXBwZW5kaW5nIHRvIG1u dF9udm5vZGVsaXN0ICovCiAKIC8qCiAgKiBWbm9kZSBhdHRyaWJ1dGVzLiAgQSBmaWVsZCB2YWx1 ZSBvZiBWTk9WQUwgcmVwcmVzZW50cyBhIGZpZWxkIHdob3NlIHZhbHVlCg== --=_e29d732e9be4cf639842cb9d8de74c22-- From owner-freebsd-security@FreeBSD.ORG Tue Jan 21 13:46:35 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 40ED9336 for ; Tue, 21 Jan 2014 13:46:35 +0000 (UTC) Received: from shiki.nanohz.org (shiki.nanohz.org [IPv6:2001:e41:31d4:86d6::1]) by mx1.freebsd.org (Postfix) with ESMTP id 115531EB9 for ; Tue, 21 Jan 2014 13:46:35 +0000 (UTC) Received: from shiki.nanohz.org (localhost [IPv6:::1]) by shiki.nanohz.org (Postfix) with ESMTP id 953492280A5 for ; Tue, 21 Jan 2014 22:45:11 +0900 (JST) Received: from hisa.nanohz.org by shiki.nanohz.org (smtpsugar 1.1) with ESMTPA id 4eYW7N; Tue, 21 Jan 2014 22:45:11 +0900 (JST) Date: Tue, 21 Jan 2014 22:45:11 +0900 Message-ID: <20140121224511WQ%kamada@nanohz.org> From: KAMADA Ken'ichi To: freebsd-security@freebsd.org Subject: Capsicum and sendto(2) User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI/1.14.7 (Harue) FLIM/1.14.9 (=?ISO-8859-4?Q?Goj=F2?=) APEL/10.8 Emacs/24.3 (x86_64-unknown-netbsd6) MULE/6.0 (HANACHIRUSATO) MIME-Version: 1.0 (generated by SEMI 1.14.7 - "Harue") Content-Type: text/plain; charset=US-ASCII X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Jan 2014 13:46:35 -0000 Hi, What is the intended behavior of sendto() with non-NULL destination when the capability mode is enabled? If the capability mode is *not* enabled, it is checked against CAP_CONNECT in kern_sendit() @ uipc_syscall.c. This matches the explanation in the rights(4) manual page. However, if the capability mode is enabled, it is always rejected in sendit(). Is this intended? Best regards, Ken From owner-freebsd-security@FreeBSD.ORG Tue Jan 21 18:31:43 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 664FF636 for ; Tue, 21 Jan 2014 18:31:43 +0000 (UTC) Received: from lor.one-eyed-alien.net (lor.one-eyed-alien.net [69.66.77.232]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 99F6F1A79 for ; Tue, 21 Jan 2014 18:31:42 +0000 (UTC) Received: from lor.one-eyed-alien.net (localhost [127.0.0.1]) by lor.one-eyed-alien.net (8.14.7/8.14.7) with ESMTP id s0LILofa006451; Tue, 21 Jan 2014 12:21:50 -0600 (CST) (envelope-from brooks@lor.one-eyed-alien.net) Received: (from brooks@localhost) by lor.one-eyed-alien.net (8.14.7/8.14.7/Submit) id s0LILogI006450; Tue, 21 Jan 2014 12:21:50 -0600 (CST) (envelope-from brooks) Date: Tue, 21 Jan 2014 12:21:50 -0600 From: Brooks Davis To: "KAMADA Ken'ichi" Subject: Re: Capsicum and sendto(2) Message-ID: <20140121182150.GB80341@lor.one-eyed-alien.net> References: <20140121224511WQ%kamada@nanohz.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="bCsyhTFzCvuiizWE" Content-Disposition: inline In-Reply-To: <20140121224511WQ%kamada@nanohz.org> User-Agent: Mutt/1.5.21 (2010-09-15) X-Mailman-Approved-At: Tue, 21 Jan 2014 19:56:04 +0000 Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Jan 2014 18:31:43 -0000 --bCsyhTFzCvuiizWE Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jan 21, 2014 at 10:45:11PM +0900, KAMADA Ken'ichi wrote: > Hi, >=20 > What is the intended behavior of sendto() with non-NULL destination > when the capability mode is enabled? >=20 > If the capability mode is *not* enabled, it is checked against > CAP_CONNECT in kern_sendit() @ uipc_syscall.c. > This matches the explanation in the rights(4) manual page. >=20 > However, if the capability mode is enabled, it is always > rejected in sendit(). Is this intended? Yes, this is intended. In capabilty mode all access to namespaces is=20 restricted including the IP address namespace. You must either connect your sockets before entereing capabilty mode or use casper to provide connected sockets. -- Brooks --bCsyhTFzCvuiizWE Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (FreeBSD) iD8DBQFS3rq8XY6L6fI4GtQRApKfAKDlxqHfgGJL/CLL2q3mIJKHWJclCwCgx46d X4F4WJLKyFnLt7AW2zpSfys= =8J8r -----END PGP SIGNATURE----- --bCsyhTFzCvuiizWE-- From owner-freebsd-security@FreeBSD.ORG Tue Jan 21 23:24:58 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 4DBDF7AB for ; Tue, 21 Jan 2014 23:24:58 +0000 (UTC) Received: from anubis.delphij.net (anubis.delphij.net [64.62.153.212]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 332231476 for ; Tue, 21 Jan 2014 23:24:57 +0000 (UTC) Received: from delphij-macbook.local (c-67-188-85-47.hsd1.ca.comcast.net [67.188.85.47]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by anubis.delphij.net (Postfix) with ESMTPSA id DC55C2A4FC; Tue, 21 Jan 2014 15:24:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=delphij.net; s=anubis; t=1390346697; bh=Z51lmKGaxUpbECK6agxtY8xwg0GbQnH0l4L+zRUixJ4=; h=Date:From:Reply-To:To:Subject:References:In-Reply-To; b=dg43cnXWZF52cTwDtLndZeGJYEGa6r3CFz+gGnCHGFOHoOdqvjSIrq+4zd9OflQlA C5adRO1JvOATFETAeemgb3O2DhrEsEZIEtNWXm3+uGC/v0q/Rwfa/TLe+C6sJuzlqN Bh90+zAkBURHlDh4+BjAo10SphZlpw88uWki26rY= Message-ID: <52DF01C3.4030008@delphij.net> Date: Tue, 21 Jan 2014 15:24:51 -0800 From: Xin Li Organization: The FreeBSD Project MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-14:01.bsnmpd References: <201401142011.s0EKB8Zw082592@freefall.freebsd.org> <20140116204101.GA40990@caravan.chchile.org> In-Reply-To: <20140116204101.GA40990@caravan.chchile.org> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list Reply-To: d@delphij.net List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Jan 2014 23:24:58 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 1/16/14, 12:41 PM, Jeremie Le Hen wrote: > Hi, > > On Tue, Jan 14, 2014 at 08:11:08PM +0000, FreeBSD Security > Advisories wrote: >> >> II. Problem Description >> >> The bsnmpd(8) daemon is prone to a stack-based buffer-overflow >> when it has received a specifically crafted GETBULK PDU request. >> >> III. Impact >> >> This issue could be exploited to execute arbitrary code in the >> context of the service daemon, or crash the service daemon, >> causing a denial-of-service. >> >> IV. Workaround >> >> No workaround is available, but systems not running bsnmpd(8) are >> not vulnerable. > > We are supposed to have SSP in all binaries that should prevent > exploitations from this kind of bugs. I am curious why it hasn't > been mentioned: is it because it didn't work as expected (which > would require some investigation), or is it just an omission? Yes, it does work and will abort the process (results in a Denial of Service) rather than allowing the execution. Cheers, -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJS3wHDAAoJEJW2GBstM+ns31sP/RqXFycq4QOiGzf5gb8fkLmZ 520X/5QBaXYzzMQkJfkw7S6VuszfJALT3wMbJRUe10yBoWz0NSswOOG+RJsxXR4t +Rf1tOnK/wXiGhzbW8mRPkfaThRuxQkhNLpndzwYdxFbCp7aroZZLMsCgXCanHbi OyRFooWsD19Pe1v34/5S/VCHy6TsD45ZTPhuDtkKCEAdoFGOmRfHcGA3CtS8LfE4 4cOJpAWQ6aHXSD5ijpILv10Z6JqbTR2lCow3FOpiXO2ka514WMDpqyFA5vY/ZSBh BoT8Ct5JhJ3mftG8m8xPl3gUQCE48iFj2nuZmFQU/Ny9pjvXFZAQNTk+Vir2xiut Zx770yXM55IaUf9EHN9FN25wiXrj3xIZs1j9Nc2DhuT9IAWAZeokwYFXxkFcXN6b ehRLyYa91iqEF3u6hbUm/Ee2RDxNxa4fALR5yZBYEfStzINSHVA3p2CsxLgwqrkk c8YVzq4PGnGinsDi72oTRJyL673A/svSnqNL/kqsxcz1uBHJsiWr9cKJCiHPmVwG K+i0ijhzU0QP6jOhFfvPMGONCEXqsKaUvwe/Hi3QmGd8mIJFGbTJ07BEPsYgVJXM DKXISnR91zbBvGnH/y3ru6ut5kog+4axoNRNrME6lLkX0TcKuxoAzaxY/SNfiE9P n5P1CVYW+KsLX/T6jV/4 =DBA7 -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Wed Jan 22 11:47:15 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id DE84CFE4 for ; Wed, 22 Jan 2014 11:47:15 +0000 (UTC) Received: from shiki.nanohz.org (shiki.nanohz.org [49.212.134.214]) by mx1.freebsd.org (Postfix) with ESMTP id A899A1FE8 for ; Wed, 22 Jan 2014 11:47:15 +0000 (UTC) Received: from shiki.nanohz.org (localhost [IPv6:::1]) by shiki.nanohz.org (Postfix) with ESMTP id AC4E12280B5 for ; Wed, 22 Jan 2014 20:47:13 +0900 (JST) Received: from hisa.nanohz.org by shiki.nanohz.org (smtpsugar 1.1) with ESMTPA id 2pPrSm; Wed, 22 Jan 2014 20:47:13 +0900 (JST) Date: Wed, 22 Jan 2014 20:47:13 +0900 Message-ID: <20140122204713WF%kamada@nanohz.org> From: KAMADA Ken'ichi To: freebsd-security@freebsd.org Subject: Re: Capsicum and sendto(2) In-Reply-To: <20140121182150.GB80341@lor.one-eyed-alien.net> References: <20140121224511WQ%kamada@nanohz.org> <20140121182150.GB80341@lor.one-eyed-alien.net> User-Agent: Wanderlust/2.15.9 (Almost Unreal) SEMI/1.14.7 (Harue) FLIM/1.14.9 (=?ISO-8859-4?Q?Goj=F2?=) APEL/10.8 Emacs/24.3 (x86_64-unknown-netbsd6) MULE/6.0 (HANACHIRUSATO) MIME-Version: 1.0 (generated by SEMI 1.14.7 - "Harue") Content-Type: text/plain; charset=US-ASCII X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 22 Jan 2014 11:47:15 -0000 At Tue, 21 Jan 2014 12:21:50 -0600, Brooks Davis wrote: > > On Tue, Jan 21, 2014 at 10:45:11PM +0900, KAMADA Ken'ichi wrote: > > > > What is the intended behavior of sendto() with non-NULL destination > > when the capability mode is enabled? > > > > If the capability mode is *not* enabled, it is checked against > > CAP_CONNECT in kern_sendit() @ uipc_syscall.c. > > This matches the explanation in the rights(4) manual page. > > > > However, if the capability mode is enabled, it is always > > rejected in sendit(). Is this intended? > > Yes, this is intended. In capabilty mode all access to namespaces is > restricted including the IP address namespace. You must either connect > your sockets before entereing capabilty mode or use casper to provide > connected sockets. Understood. The capability mode forbids access to the global name space. What I was trying to do was applying Capsicum to a packet translator, which inherently needs to send packets to many addresses. Maybe I need something analogous to opening a subdirectory in a filesystem name space, say, a new API to "open" an subnet before entering capability mode... Thanks, Ken