oss-sec mailing list archives
Re: TTY pushback vulnerabilities / TIOCSTI
From: Hanno Böck <hanno () hboeck de>
Date: Fri, 17 Mar 2023 11:48:44 +0100
On Tue, 14 Mar 2023 11:36:26 +0100 Jakub Wilk <jwilk () jwilk net> wrote:
On Linux virtual terminals, it's possible to achieve pretty much the same effect using TIOCLINUX, the ioctl used by gpm to implement copy&pasting.
This is interesting. Given this works only on "virtual terminals" (aka not in a terminal window on X, not over SSH), I think the severity is much lower than the TIOCSTI issue. Still it should be fixed. I've created a patch for the Linux kernel very similar to the patch that allows disabling TIOCSTI. I'll send that to the kernel devs soon, but maybe people here want to test and comment. --- drivers/tty/Kconfig | 16 ++++++++++++++++ drivers/tty/tty.h | 1 + drivers/tty/tty_io.c | 7 +++++++ drivers/tty/vt/vt.c | 5 +++++ 4 files changed, 29 insertions(+) diff --git a/drivers/tty/Kconfig b/drivers/tty/Kconfig index d35fc068d..f808e4ee7 100644 --- a/drivers/tty/Kconfig +++ b/drivers/tty/Kconfig @@ -168,6 +168,22 @@ config LEGACY_TIOCSTI dev.tty.legacy_tiocsti sysctl. This configuration option sets the default value of the sysctl. +config LEGACY_TIOCLINUX + bool "Allow legacy TIOCLINUX usage" + default y + help + The TIOCLINUX ioctl allows implementing copy-and-paste and + mouse operations in virtual terminals, used by tools like gpm. + However, it can be abused by a low privilege process when + called with tools like su or sudo to inject content on the + root shell. + + Say Y here if you use tools like gpm. + + This functionality can be changed at runtime with the + dev.tty.legacy_tioclinux sysctl. This configuration option sets + the default value of the sysctl. + config LDISC_AUTOLOAD bool "Automatically load TTY Line Disciplines" default y diff --git a/drivers/tty/tty.h b/drivers/tty/tty.h index f45cd683c..3e4f1e094 100644 --- a/drivers/tty/tty.h +++ b/drivers/tty/tty.h @@ -94,6 +94,7 @@ int __must_check tty_ldisc_init(struct tty_struct *tty); void tty_ldisc_deinit(struct tty_struct *tty); extern int tty_ldisc_autoload; +extern bool tty_legacy_tioclinux; /* tty_audit.c */ #ifdef CONFIG_AUDIT diff --git a/drivers/tty/tty_io.c b/drivers/tty/tty_io.c index 36fb945fd..badd1f909 100644 --- a/drivers/tty/tty_io.c +++ b/drivers/tty/tty_io.c @@ -3602,6 +3602,13 @@ static struct ctl_table tty_table[] = { .mode = 0644, .proc_handler = proc_dobool, }, + { + .procname = "legacy_tioclinux", + .data = &tty_legacy_tioclinux, + .maxlen = sizeof(tty_legacy_tioclinux), + .mode = 0644, + .proc_handler = proc_dobool, + }, { .procname = "ldisc_autoload", .data = &tty_ldisc_autoload, diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c index 57a5c23b5..3bc0d9149 100644 --- a/drivers/tty/vt/vt.c +++ b/drivers/tty/vt/vt.c @@ -3119,6 +3119,8 @@ static struct console vt_console_driver = { * Handling of Linux-specific VC ioctls */ +bool tty_legacy_tioclinux __read_mostly = IS_ENABLED(CONFIG_LEGACY_TIOCLINUX); + /* * Generally a bit racy with respect to console_lock();. * @@ -3137,6 +3139,9 @@ int tioclinux(struct tty_struct *tty, unsigned long arg) int lines; int ret; + if (!tty_legacy_tioclinux) + return -EIO; + if (current->signal->tty != tty && !capable(CAP_SYS_ADMIN)) return -EPERM; if (get_user(type, p)) -- 2.40.0 -- Hanno Böck https://hboeck.de/
Current thread:
- TTY pushback vulnerabilities / TIOCSTI Hanno Böck (Mar 14)
- Re: TTY pushback vulnerabilities / TIOCSTI Jakub Wilk (Mar 14)
- Re: TTY pushback vulnerabilities / TIOCSTI Hanno Böck (Mar 17)
- Re: TTY pushback vulnerabilities / TIOCSTI Jakub Wilk (Mar 17)
- Re: TTY pushback vulnerabilities / TIOCSTI Hanno Böck (Mar 19)
- Re: TTY pushback vulnerabilities / TIOCSTI Jakub Wilk (Mar 21)
- Re: TTY pushback vulnerabilities / TIOCSTI Hanno Böck (Mar 24)
- Re: TTY pushback vulnerabilities / TIOCSTI Hanno Böck (Mar 17)
- Re: TTY pushback vulnerabilities / TIOCSTI Jakub Wilk (Mar 14)
- Re: TTY pushback vulnerabilities / TIOCSTI Lyndon Nerenberg (VE7TFX/VE6BBM) (Mar 18)
- Re: TTY pushback vulnerabilities / TIOCSTI Christos Zoulas (Mar 18)
- Re: TTY pushback vulnerabilities / TIOCSTI Eric Ashley (Mar 18)
- Re: TTY pushback vulnerabilities / TIOCSTI Hanno Böck (Mar 14)
- Re: TTY pushback vulnerabilities / TIOCSTI Peter Bex (Mar 14)