Re: sshd failing in jail

From: Peter Jeremy <peterjeremy_at_optushome.com.au>
Date: Sun, 30 Aug 2009 09:34:54 +1000
[Redirected to amd64 because this is an amd64 kernel bug]

On 2009-Aug-25 05:33:44 +1000, Peter Jeremy <peterjeremy_at_optushome.com.au> wrote:
>I am attempting to build an i386 jail on an amd64 box to build
>packages for my netbook.  The host is running -current from just over
>two weeks ago and the jail is -current from early June.  The jail was
>built by doing a dump|restore of my netbook and then tweaking various
>config files to give it a new identity.  The jail's devfs is using
>"devfsrules_jail" from /etc/default/devfs.rules.
>
>The jail starts OK but when I attempt to ssh into it, I just get
>"Connection closed by <jail IP address>".

Turns out this is a bug in the 32-bit select(2) wrapper on 64-bit
kernels.  The userland fd_set arguments are not wrapped but passed
directly to kern_select().  Unfortunately, fd_set is (effectively) an
array of longs which means kern_select() assumes fd_set is a multiple
of 8-bytes whilst userland assumes it is a multiple of 4 bytes.  As a
result, the kernel can over-write an extra 4 bytes of user memory.  In
the case of sshd, this causes part of the RSA host key to be trashed
when privilege separation mode is enabled.

This bug also affects linux emulation on amd64 and potentially affects
any other 64-bit kernels with 32-bit emulation modes.  I have raised
amd64/138318 to cover it.

-- 
Peter Jeremy

Received on Sat Aug 29 2009 - 21:34:58 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:39:54 UTC