Hash: SHA512

FreeBSD-SA-21:05.jail_chdir                                 Security Advisory
                                                          The FreeBSD Project

Topic:          jail_attach(2) relies on the caller to change the cwd

Category:       core
Module:         jail
Announced:      2021-02-24
Credits:        Mateusz Guzik
Affects:        All supported versions of FreeBSD.
Corrected:      2021-02-22 05:49:40 UTC (stable/13, 13.0-STABLE)
                2021-02-22 18:25:23 UTC (releng/13.0, 13.0-BETA3-p1)
                2021-02-22 19:03:43 UTC (stable/12, 12.2-STABLE)
                2021-02-24 01:43:47 UTC (releng/12.2, 12.2-RELEASE-p4)
                2021-02-22 19:08:27 UTC (stable/11, 11.4-STABLE)
                2021-02-24 01:41:46 UTC (releng/11.4, 11.4-RELEASE-p8)
CVE Name:       CVE-2020-25582

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:https://security.FreeBSD.org/>.

I.   Background

The jail(2) system call allows a system administrator to lock a process
and all of its descendants inside an environment with a very limited
ability to affect the system outside that environment, even for
processes with superuser privileges.  It is an extension of, but
far more powerful than, the traditional UNIX chroot(2) system call.

The jail_attach(2) system call, which was introduced in FreeBSD 5
before 5.1-RELEASE, allows a non-jailed process to permanently move
into an existing jail.

The ptrace(2) system call provides tracing and debugging facilities by
allowing one process (the tracing process) to watch and control
another (the traced process).

II.  Problem Description

When a process, such as jexec(8) or killall(1), calls jail_attach(2)
to enter a jail, the jailed root can attach to it using ptrace(2) before
the current working directory is changed.

III. Impact

A process with superuser privileges running inside a jail could change
the root directory outside of the jail, thereby gaining full read and
writing access to all files and directories in the system.

IV.  Workaround

No workaround is available, but systems that are not running jails with
untrusted root users are not vulnerable.

V.   Solution

Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date
and reboot.

Perform one of the following:

1) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install
# shutdown -r +10min "Rebooting for a security update"

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 13.x]
# fetch https://security.FreeBSD.org/patches/SA-21:05/jail_chdir.13.patch
# fetch https://security.FreeBSD.org/patches/SA-21:05/jail_chdir.13.patch.asc
# gpg --verify jail_chdir.13.patch.asc

[FreeBSD 11.x, FreeBSD 12.x]
# fetch https://security.FreeBSD.org/patches/SA-21:05/jail_chdir.patch
# fetch https://security.FreeBSD.org/patches/SA-21:05/jail_chdir.patch.asc
# gpg --verify jail_chdir.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the

VI.  Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path                                                      Revision
- -------------------------------------------------------------------------
stable/13/                       5dbb407145c8128753fa30b695bc266dc671e433
releng/13.0/                     f3f042d850baaeda1bed19e00c2b3b578644b7e9
stable/12/                                                        r369334
releng/12.2/                                                      r369354
stable/11/                                                        r369335
releng/11.4/                                                      r369348
- -------------------------------------------------------------------------

[FreeBSD 13.x]
To see which files were modified by a particular revision, run the following
command in a checked out git repository, replacing NNNNNN with the revision

# git show --stat NNNNNN

Or visit the following URL, replace NNNNNN with the revision hash:


[FreeBSD 11.x, FreeBSD 12.x]
To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:

# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NNNNNN with the revision number:


VII. References


The latest revision of this advisory is available at

freebsd-announce@freebsd.org mailing list
To unsubscribe, send any mail to "freebsd-announce-unsubscr...@freebsd.org"

Reply via email to