[PATCH v3 1/1] tty: Restrict access to TIOCLINUX' copy-and-paste subcommands

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Günther Noack" <gnoack@google.com>
To: Greg KH <gregkh@linuxfoundation.org>
Cc: "Hanno Böck" <hanno@hboeck.de>,
	kernel-hardening@lists.openwall.com,
	"Kees Cook" <keescook@chromium.org>,
	"Jiri Slaby" <jirislaby@kernel.org>,
	"Geert Uytterhoeven" <geert@linux-m68k.org>,
	"Paul Moore" <paul@paul-moore.com>,
	"Samuel Thibault" <samuel.thibault@ens-lyon.org>,
	"David Laight" <David.Laight@aculab.com>,
	"Simon Brand" <simon.brand@postadigitale.de>,
	"Dave Mielke" <Dave@mielke.cc>,
	"Mickaël Salaün" <mic@digikod.net>,
	"KP Singh" <kpsingh@google.com>,
	"Nico Schottelius" <nico-gpm2008@schottelius.org>,
	"Günther Noack" <gnoack@google.com>
Subject: [PATCH v3 1/1] tty: Restrict access to TIOCLINUX' copy-and-paste subcommands
Date: Mon, 28 Aug 2023 18:41:17 +0200	[thread overview]
Message-ID: <20230828164117.3608812-2-gnoack@google.com> (raw)
In-Reply-To: <20230828164117.3608812-1-gnoack@google.com>

From: Hanno Böck <hanno@hboeck.de>

TIOCLINUX can be used for privilege escalation on virtual terminals when
code is executed via tools like su/sudo and sandboxing tools.

By abusing the selection features, a lower-privileged application can
write content to the console, select and copy/paste that content and
thereby executing code on the privileged account. See also the poc
here:

  https://www.openwall.com/lists/oss-security/2023/03/14/3

Selection is usually used by tools like gpm that provide mouse features
on the virtual console. gpm already runs as root (due to earlier
changes that restrict access to a user on the current TTY), therefore
it will still work with this change.

With this change, the following TIOCLINUX subcommands require
CAP_SYS_ADMIN:

 * TIOCL_SETSEL - setting the selected region on the terminal
 * TIOCL_PASTESEL - pasting the contents of the selected region into
   the input buffer
 * TIOCL_SELLOADLUT - changing word-by-word selection behaviour

The security problem mitigated is similar to the security risks caused
by TIOCSTI, which, since kernel 6.2, can be disabled with
CONFIG_LEGACY_TIOCSTI=n.

Signed-off-by: Hanno Böck <hanno@hboeck.de>
Signed-off-by: Günther Noack <gnoack@google.com>
Tested-by: Günther Noack <gnoack@google.com>
---
 drivers/tty/vt/vt.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c
index 1e8e57b45688..1eb30ed1118d 100644
--- a/drivers/tty/vt/vt.c
+++ b/drivers/tty/vt/vt.c
@@ -3156,9 +3156,13 @@ int tioclinux(struct tty_struct *tty, unsigned long arg)
 
 	switch (type) {
 	case TIOCL_SETSEL:
+		if (!capable(CAP_SYS_ADMIN))
+			return -EPERM;
 		return set_selection_user((struct tiocl_selection
 					 __user *)(p+1), tty);
 	case TIOCL_PASTESEL:
+		if (!capable(CAP_SYS_ADMIN))
+			return -EPERM;
 		return paste_selection(tty);
 	case TIOCL_UNBLANKSCREEN:
 		console_lock();
@@ -3166,6 +3170,8 @@ int tioclinux(struct tty_struct *tty, unsigned long arg)
 		console_unlock();
 		break;
 	case TIOCL_SELLOADLUT:
+		if (!capable(CAP_SYS_ADMIN))
+			return -EPERM;
 		console_lock();
 		ret = sel_loadlut(p);
 		console_unlock();
-- 
2.42.0.rc2.253.gd59a3bf2b4-goog

next prev parent reply	other threads:[~2023-08-28 16:41 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-08-28 16:41 [PATCH v3 0/1] Restrict access to TIOCLINUX Günther Noack
2023-08-28 16:41 ` Günther Noack [this message]
2023-08-28 18:43   ` [PATCH v3 1/1] tty: Restrict access to TIOCLINUX' copy-and-paste subcommands Mickaël Salaün
2023-08-28 18:48     ` Greg KH
2023-08-28 16:45 ` [PATCH v3 0/1] Restrict access to TIOCLINUX Samuel Thibault
2023-08-29 13:00   ` Günther Noack
2023-08-30  0:36     ` Samuel Thibault
2023-09-15 13:32     ` Günther Noack
2023-10-09 20:19       ` Kees Cook
2023-10-10  6:17         ` Greg KH
2023-10-10 22:23           ` Kees Cook
2023-10-11  6:22             ` Greg KH
2023-10-11 15:49               ` sending commit notification to patch thread (was "Re: [PATCH v3 0/1] Restrict access to TIOCLINUX") Kees Cook

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:1e8e57b4568 dfblob:1eb30ed1118 )
 OR (
bs:"[PATCH v3 1/1] tty: Restrict access to TIOCLINUX' copy-and-paste subcommands" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20230828164117.3608812-2-gnoack@google.com \
    --to=gnoack@google.com \
    --cc=Dave@mielke.cc \
    --cc=David.Laight@aculab.com \
    --cc=geert@linux-m68k.org \
    --cc=gregkh@linuxfoundation.org \
    --cc=hanno@hboeck.de \
    --cc=jirislaby@kernel.org \
    --cc=keescook@chromium.org \
    --cc=kernel-hardening@lists.openwall.com \
    --cc=kpsingh@google.com \
    --cc=mic@digikod.net \
    --cc=nico-gpm2008@schottelius.org \
    --cc=paul@paul-moore.com \
    --cc=samuel.thibault@ens-lyon.org \
    --cc=simon.brand@postadigitale.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.