From patchwork Tue Oct 28 16:28:38 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 4535 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:2995:b0:72f:f16c:e055 with SMTP id f21csp2163574max; Tue, 28 Oct 2025 09:29:03 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCXQcuJNwHnSSDvku7Wt2i87XihUmNOXWuuwv1DT1o3ZZc+WUJ/dQXWfVgvw/pyY+DFj11uHZfgoo1g=@openvpn.net X-Google-Smtp-Source: AGHT+IH2JaX2KpZOK5tRcq683RakAZuT3Lfyl+hWbSdFNAHyLGsqS3JEFc2/j/Yaly9KMLk8byp0 X-Received: by 2002:a05:6808:1507:b0:44f:6d6d:5266 with SMTP id 5614622812f47-44f7a53506cmr14266b6e.63.1761668942990; Tue, 28 Oct 2025 09:29:02 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1761668942; cv=none; d=google.com; s=arc-20240605; b=OadSKJ2io1kRKg1CfdaLlaxgZBRGtUgPIbtn1mKO1C2SkstdlrQIJytxAnByjAq1dx Iwy5pmXwzBI2/aqkEB2xJvcebIIlK3CMo83pVnvhp0ydoOw2DhqoTz7xm2JHFK9xqrsu xLULWXoTiEJRWxOQdAQ9ei7NaK4PRAbOakCAqtNBDrhY7waVignAOV+eLIq5XvsQSomk 06EUBByxvUBDLYw/A4e6wS5uB+O3ogcDmVIMoD5KNgmt1uxARzAw2gz8mnjEzzUl6AFK WEJ1//kR80FaTpUua/kxGLcbWRBMA8n5VuCd6RBzafMc9potpfHqkJPMYZcwwmAIckN/ cA6w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=aZehHt/uc9eJCXalP01YbyzoEZLqIdA/cTgjC3XWn20=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=hUGcezYnIiwcyh0mpcwhHLFms2UjWS8YzY43omhXrthqBzIF0w90LZWPKVFCD6pOGZ ue3shaO7k4J5iNTDZrOPD3wg+uBq6D8SJvJF7unjqqwscfmYcNvZqZAmBSEE5ndIM4zt hUI+7iOT1DxaGFASnMYcHRpv5fIvYKsX7yARTz3bsXfnl7bkZcSB6uyZyMWN64lanVUb y0zofD8dMcewE7PTFrjm6b3VOfUyLnoG+PfaylCJKpxq6W9A8omIeIRLhzdAOTOB8FBA 5ftzH4gPzQcplIT0sAq9axOPQDvhApIFgEQB/I5qv7FftUdgJnws6Mmc0i9g09/KEMQc Qjyg==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=ZcNTNMGp; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=mYIPk5aX; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b="jQQxvV/S"; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 5614622812f47-44da5592248si2540334b6e.384.2025.10.28.09.29.02 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 28 Oct 2025 09:29:02 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=ZcNTNMGp; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=mYIPk5aX; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b="jQQxvV/S"; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=aZehHt/uc9eJCXalP01YbyzoEZLqIdA/cTgjC3XWn20=; b=ZcNTNMGpLgpFOgiekf3x6kPU1T dByJrSo13Nf3swCy54XEgqt+F4dLvhIgJkEPrbmF+j238tDcUEuGV+keWGVsEzeZy3iBHhzTgFqyB 9QtMbTzAKFnGkdSJ6q7FWtNYeHy75EQfhTzl/EqNMJNtkjxtPWnX9qIM3NKcjEfY7wMQ=; Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1vDmZ8-0001PQ-IC; Tue, 28 Oct 2025 16:28:58 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1vDmZ7-0001PK-Ew for openvpn-devel@lists.sourceforge.net; Tue, 28 Oct 2025 16:28:57 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=m7hZvLTn3NKECS/yxV4/miE3ksxAMAVXwq0bB587cE4=; b=mYIPk5aXsy3Otmpqu6fOzUxPvX jnHUS1I9QAdeUGAgTxcVn7VOJioiVkCqeCuSPG51OeHZ9J0iO2LiAbJmSjoUPDpby5Y6oJggZFTFJ /hIc//L3b2wZLwj/LfGjNFsJ2ETUT+gA2KhMM7IFOAFAkqPY8RmCZyV2dm/cVjOdEqcs=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=m7hZvLTn3NKECS/yxV4/miE3ksxAMAVXwq0bB587cE4=; b=jQQxvV/S34o4Ph0IhFS833sUna wTTC+3o4LNnFmbxyVz0rlJ1/2eR6h5PaNmPfSmfRhP0OgvVOZr4BEGq269+k/O3D+uBZsp3vLLCi8 N1v/AvIJRqrpDXaEep6SizESy1bC9rB6MS720yIC/39+Bl9Z3c2juFKj93kd/sxT6OXo=; Received: from [193.149.48.134] (helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1vDmZ6-0008Hs-3c for openvpn-devel@lists.sourceforge.net; Tue, 28 Oct 2025 16:28:57 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.18.1/8.18.1) with ESMTP id 59SGSi7r018202 for ; Tue, 28 Oct 2025 17:28:44 +0100 Received: (from gert@localhost) by blue.greenie.muc.de (8.18.1/8.18.1/Submit) id 59SGSiO2018201 for openvpn-devel@lists.sourceforge.net; Tue, 28 Oct 2025 17:28:44 +0100 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Tue, 28 Oct 2025 17:28:38 +0100 Message-ID: <20251028162843.18189-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.49.1 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-1.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Antonio Quartulli Since OpenVPN spawns various child processes, it is important that sockets are closed after calling exec. The sitnl socket didn't have the right flag set, resulting in it surviving in, for example, connect/disconnect scripts and giving the latter a chance to abuse the socket. Content analysis details: (1.3 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS X-Headers-End: 1vDmZ6-0008Hs-3c Subject: [Openvpn-devel] [PATCH v4] sitnl: set FD_CLOEXEC on socket to prevent abuse X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1847243773694695187?= X-GMAIL-MSGID: =?utf-8?q?1847243773694695187?= From: Antonio Quartulli Since OpenVPN spawns various child processes, it is important that sockets are closed after calling exec. The sitnl socket didn't have the right flag set, resulting in it surviving in, for example, connect/disconnect scripts and giving the latter a chance to abuse the socket. Ensure this doesn't happen by setting FD_CLOEXEC on this socket right after creation. Reported-by: Joshua Rogers Found-by: ZeroPath (https://zeropath.com/) Change-Id: I54845bf4dd17d06cfc3b402f188795f74f4b1d3e Signed-off-by: Antonio Quartulli Acked-by: Gert Doering Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1314 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1314 This mail reflects revision 4 of this Change. Acked-by according to Gerrit (reflected above): Gert Doering diff --git a/CMakeLists.txt b/CMakeLists.txt index 5954a6e..bf754f3 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -923,6 +923,7 @@ src/openvpn/crypto_openssl.c src/openvpn/crypto.c src/openvpn/crypto_epoch.c + src/openvpn/fdmisc.c src/openvpn/otime.c src/openvpn/packet_id.c ) diff --git a/src/openvpn/networking_sitnl.c b/src/openvpn/networking_sitnl.c index b3adb16..3e20b70 100644 --- a/src/openvpn/networking_sitnl.c +++ b/src/openvpn/networking_sitnl.c @@ -27,6 +27,7 @@ #include "dco.h" #include "errlevel.h" +#include "fdmisc.h" #include "buffer.h" #include "misc.h" #include "networking.h" @@ -181,6 +182,9 @@ return fd; } + /* set close on exec to avoid child processes access the socket */ + set_cloexec(fd); + if (setsockopt(fd, SOL_SOCKET, SO_SNDBUF, &sndbuf, sizeof(sndbuf)) < 0) { msg(M_WARN | M_ERRNO, "%s: SO_SNDBUF", __func__); diff --git a/tests/unit_tests/openvpn/Makefile.am b/tests/unit_tests/openvpn/Makefile.am index 997703a..0f13172 100644 --- a/tests/unit_tests/openvpn/Makefile.am +++ b/tests/unit_tests/openvpn/Makefile.am @@ -196,6 +196,7 @@ $(top_srcdir)/src/openvpn/crypto_epoch.c \ $(top_srcdir)/src/openvpn/crypto_mbedtls.c \ $(top_srcdir)/src/openvpn/crypto_openssl.c \ + $(top_srcdir)/src/openvpn/fdmisc.c \ $(top_srcdir)/src/openvpn/otime.c \ $(top_srcdir)/src/openvpn/packet_id.c \ $(top_srcdir)/src/openvpn/platform.c