|
Message-ID: <20230317114844.21563d9a.hanno@hboeck.de> Date: Fri, 17 Mar 2023 11:48:44 +0100 From: Hanno Böck <hanno@...eck.de> To: oss-security@...ts.openwall.com Subject: Re: TTY pushback vulnerabilities / TIOCSTI On Tue, 14 Mar 2023 11:36:26 +0100 Jakub Wilk <jwilk@...lk.net> wrote: > On Linux virtual terminals, it's possible to achieve pretty much the > same effect using TIOCLINUX, the ioctl used by gpm to implement > copy&pasting. This is interesting. Given this works only on "virtual terminals" (aka not in a terminal window on X, not over SSH), I think the severity is much lower than the TIOCSTI issue. Still it should be fixed. I've created a patch for the Linux kernel very similar to the patch that allows disabling TIOCSTI. I'll send that to the kernel devs soon, but maybe people here want to test and comment. --- drivers/tty/Kconfig | 16 ++++++++++++++++ drivers/tty/tty.h | 1 + drivers/tty/tty_io.c | 7 +++++++ drivers/tty/vt/vt.c | 5 +++++ 4 files changed, 29 insertions(+) diff --git a/drivers/tty/Kconfig b/drivers/tty/Kconfig index d35fc068d..f808e4ee7 100644 --- a/drivers/tty/Kconfig +++ b/drivers/tty/Kconfig @@ -168,6 +168,22 @@ config LEGACY_TIOCSTI dev.tty.legacy_tiocsti sysctl. This configuration option sets the default value of the sysctl. +config LEGACY_TIOCLINUX + bool "Allow legacy TIOCLINUX usage" + default y + help + The TIOCLINUX ioctl allows implementing copy-and-paste and + mouse operations in virtual terminals, used by tools like gpm. + However, it can be abused by a low privilege process when + called with tools like su or sudo to inject content on the + root shell. + + Say Y here if you use tools like gpm. + + This functionality can be changed at runtime with the + dev.tty.legacy_tioclinux sysctl. This configuration option sets + the default value of the sysctl. + config LDISC_AUTOLOAD bool "Automatically load TTY Line Disciplines" default y diff --git a/drivers/tty/tty.h b/drivers/tty/tty.h index f45cd683c..3e4f1e094 100644 --- a/drivers/tty/tty.h +++ b/drivers/tty/tty.h @@ -94,6 +94,7 @@ int __must_check tty_ldisc_init(struct tty_struct *tty); void tty_ldisc_deinit(struct tty_struct *tty); extern int tty_ldisc_autoload; +extern bool tty_legacy_tioclinux; /* tty_audit.c */ #ifdef CONFIG_AUDIT diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c index 36fb945fd..badd1f909 100644 --- a/drivers/tty/tty_io.c +++ b/drivers/tty/tty_io.c @@ -3602,6 +3602,13 @@ static struct ctl_table tty_table[] = { .mode = 0644, .proc_handler = proc_dobool, }, + { + .procname = "legacy_tioclinux", + .data = &tty_legacy_tioclinux, + .maxlen = sizeof(tty_legacy_tioclinux), + .mode = 0644, + .proc_handler = proc_dobool, + }, { .procname = "ldisc_autoload", .data = &tty_ldisc_autoload, diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c index 57a5c23b5..3bc0d9149 100644 --- a/drivers/tty/vt/vt.c +++ b/drivers/tty/vt/vt.c @@ -3119,6 +3119,8 @@ static struct console vt_console_driver = { * Handling of Linux-specific VC ioctls */ +bool tty_legacy_tioclinux __read_mostly = IS_ENABLED(CONFIG_LEGACY_TIOCLINUX); + /* * Generally a bit racy with respect to console_lock();. * @@ -3137,6 +3139,9 @@ int tioclinux(struct tty_struct *tty, unsigned long arg) int lines; int ret; + if (!tty_legacy_tioclinux) + return -EIO; + if (current->signal->tty != tty && !capable(CAP_SYS_ADMIN)) return -EPERM; if (get_user(type, p)) -- 2.40.0 -- Hanno Böck https://hboeck.de/
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.