sshd failing in jail

Peter Jeremy peterjeremy at optushome.com.au
Sat Aug 29 23:34:58 UTC 2009


[Redirected to amd64 because this is an amd64 kernel bug]

On 2009-Aug-25 05:33:44 +1000, Peter Jeremy <peterjeremy at optushome.com.au> wrote:
>I am attempting to build an i386 jail on an amd64 box to build
>packages for my netbook.  The host is running -current from just over
>two weeks ago and the jail is -current from early June.  The jail was
>built by doing a dump|restore of my netbook and then tweaking various
>config files to give it a new identity.  The jail's devfs is using
>"devfsrules_jail" from /etc/default/devfs.rules.
>
>The jail starts OK but when I attempt to ssh into it, I just get
>"Connection closed by <jail IP address>".

Turns out this is a bug in the 32-bit select(2) wrapper on 64-bit
kernels.  The userland fd_set arguments are not wrapped but passed
directly to kern_select().  Unfortunately, fd_set is (effectively) an
array of longs which means kern_select() assumes fd_set is a multiple
of 8-bytes whilst userland assumes it is a multiple of 4 bytes.  As a
result, the kernel can over-write an extra 4 bytes of user memory.  In
the case of sshd, this causes part of the RSA host key to be trashed
when privilege separation mode is enabled.

This bug also affects linux emulation on amd64 and potentially affects
any other 64-bit kernels with 32-bit emulation modes.  I have raised
amd64/138318 to cover it.

-- 
Peter Jeremy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-current/attachments/20090829/6439a484/attachment.pgp


More information about the freebsd-current mailing list