Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20230317114844.21563d9a.hanno@hboeck.de>
Date: Fri, 17 Mar 2023 11:48:44 +0100
From: Hanno Böck <hanno@...eck.de>
To: oss-security@...ts.openwall.com
Subject: Re: TTY pushback vulnerabilities / TIOCSTI

On Tue, 14 Mar 2023 11:36:26 +0100
Jakub Wilk <jwilk@...lk.net> wrote:

> On Linux virtual terminals, it's possible to achieve pretty much the 
> same effect using TIOCLINUX, the ioctl used by gpm to implement 
> copy&pasting.

This is interesting.

Given this works only on "virtual terminals" (aka not in a terminal
window on X, not over SSH), I think the severity is much lower than the
TIOCSTI issue. Still it should be fixed.

I've created a patch for the Linux kernel very similar to the patch
that allows disabling TIOCSTI. I'll send that to the kernel devs soon,
but maybe people here want to test and comment.

---
 drivers/tty/Kconfig  | 16 ++++++++++++++++
 drivers/tty/tty.h    |  1 +
 drivers/tty/tty_io.c |  7 +++++++
 drivers/tty/vt/vt.c  |  5 +++++
 4 files changed, 29 insertions(+)

diff --git a/drivers/tty/Kconfig b/drivers/tty/Kconfig
index d35fc068d..f808e4ee7 100644
--- a/drivers/tty/Kconfig
+++ b/drivers/tty/Kconfig
@@ -168,6 +168,22 @@ config LEGACY_TIOCSTI
 	  dev.tty.legacy_tiocsti sysctl. This configuration option sets
 	  the default value of the sysctl.
 
+config LEGACY_TIOCLINUX
+	bool "Allow legacy TIOCLINUX usage"
+	default y
+	help
+	  The TIOCLINUX ioctl allows implementing copy-and-paste and
+	  mouse operations in virtual terminals, used by tools like
gpm.
+	  However, it can be abused by a low privilege process when
+	  called with tools like su or sudo to inject content on the
+	  root shell.
+
+	  Say Y here if you use tools like gpm.
+
+	  This functionality can be changed at runtime with the
+	  dev.tty.legacy_tioclinux sysctl. This configuration option
sets
+	  the default value of the sysctl.
+
 config LDISC_AUTOLOAD
 	bool "Automatically load TTY Line Disciplines"
 	default y
diff --git a/drivers/tty/tty.h b/drivers/tty/tty.h
index f45cd683c..3e4f1e094 100644
--- a/drivers/tty/tty.h
+++ b/drivers/tty/tty.h
@@ -94,6 +94,7 @@ int __must_check tty_ldisc_init(struct tty_struct
*tty); void tty_ldisc_deinit(struct tty_struct *tty);
 
 extern int tty_ldisc_autoload;
+extern bool tty_legacy_tioclinux;
 
 /* tty_audit.c */
 #ifdef CONFIG_AUDIT
diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c
index 36fb945fd..badd1f909 100644
--- a/drivers/tty/tty_io.c
+++ b/drivers/tty/tty_io.c
@@ -3602,6 +3602,13 @@ static struct ctl_table tty_table[] = {
 		.mode		= 0644,
 		.proc_handler	= proc_dobool,
 	},
+	{
+		.procname	= "legacy_tioclinux",
+		.data		= &tty_legacy_tioclinux,
+		.maxlen		= sizeof(tty_legacy_tioclinux),
+		.mode		= 0644,
+		.proc_handler	= proc_dobool,
+	},
 	{
 		.procname	= "ldisc_autoload",
 		.data		= &tty_ldisc_autoload,
diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c
index 57a5c23b5..3bc0d9149 100644
--- a/drivers/tty/vt/vt.c
+++ b/drivers/tty/vt/vt.c
@@ -3119,6 +3119,8 @@ static struct console vt_console_driver = {
  *	Handling of Linux-specific VC ioctls
  */
 
+bool tty_legacy_tioclinux __read_mostly =
IS_ENABLED(CONFIG_LEGACY_TIOCLINUX); +
 /*
  * Generally a bit racy with respect to console_lock();.
  *
@@ -3137,6 +3139,9 @@ int tioclinux(struct tty_struct *tty, unsigned
long arg) int lines;
 	int ret;
 
+	if (!tty_legacy_tioclinux)
+		return -EIO;
+
 	if (current->signal->tty != tty && !capable(CAP_SYS_ADMIN))
 		return -EPERM;
 	if (get_user(type, p))
-- 
2.40.0


-- 
Hanno Böck
https://hboeck.de/

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.