Re: FreeBSD-SA-25:12.rtsold.asc clarification needed
- Reply: Polarian : "Re: FreeBSD-SA-25:12.rtsold.asc clarification needed"
- Reply: mike tancsa : "Re: FreeBSD-SA-25:12.rtsold.asc clarification needed (mostly clarified)"
- In reply to: mike tancsa : "Re: FreeBSD-SA-25:12.rtsold.asc clarification needed"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 22 Dec 2025 22:25:45 UTC
On 12/22/2025 17:05, mike tancsa wrote: > On 12/22/2025 4:51 PM, Polarian wrote: >> Hey, >> >>> I am trying to understand if rtsold is not running and not enabled, >>> what from the kernel would spin that up to expose the code path that >>> is patched in the advisory? >> I don't get where you are getting a kernel vulnerability from. >> >> The advisory already explains that the RCE comes from a lack of input >> validation on the domain search field. This is a userspace >> vulnerability. >> >> This passed to resolvconf which does not validate its input, which >> therefore allows for an RCE. >> >> So why we talking about code paths within the kernel? Its not within >> the networking stack, it is a vulnerability within the userspace >> utilities. > > When I asked if patching the userland code was enough, you said no. > > From what I understand having ACCEPT_RTADV on an interface means the > kernel is processing rtadv packets. The advisory mentions that, but > it seems thats not sufficient to trigger the bug, as rtsold is the one > that processes the unchecked DNS info. i.e. you need both > ACCEPT_RTADV enabled and rtsold enabled, no ? If just having > ACCEPT_RTADV enabled would lead to an exploit, that implies a kernel > bug no ? > > I just want to confirm if *not* running rtsold is enough to avoid this > bug or just having the mere presence of IPv6 can lead to exploit. If > the latter, how is that actually working. > > ---Mike > Unless I am missing something serious you are correct. Without rtsold if you have an interface that goes down and comes back up you likely will not get routes (including default) until the gateway performs its next timed transmission (typically 10 minutes.) With it enabled but no options specified it comes up on my machines as "-a -i" which is "seek the interfaces to solicit upon and do so immediately on start." The problem is that the resolvconf(8) script is run by default (unless you specify something else with the -R switch) if rtsold is running and a DNS configuration option (RDNSS or DNSSL) advertisement is received. If rtsold is not running then it should not result in a problem per-se however you get the possibility of not having routes when the box comes up until the gateway performs its next timed transmission. -- Karl Denninger karl@denninger.net /The Market Ticker/ /[S/MIME encrypted email preferred]/