Clean console safely

Clean console safely

[Petr Písař]

Hello,

I've posted following patch to linux-kernel already and Alan Cox liked it
(http://thread.gmane.org/gmane.linux.kernel/1117336). I'd like to ask you,
a TTY maintainer, to apply it to next Linux tree if it's acceptable.

-- Petr

[PATCH] Clean console safely

[Petr Písař]

Traditional \E[2J sequence erases console display but scroll-back
buffer and underlying device (frame) buffer keep data that can be
accessed by scrolling console back.

This patch introduce new \E[J parameter 3 that allows to scramble
scroll-back buffer explicitly. Session locking programs (screen,
vlock) can use it to prevent attacker to browse locked console
history.
---
 drivers/tty/vt/vt.c |    6 ++++++
 1 files changed, 6 insertions(+), 0 deletions(-)

diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c
index 4bea1ef..fe96a1f 100644
--- a/drivers/tty/vt/vt.c
+++ b/drivers/tty/vt/vt.c
@@ -1197,6 +1197,12 @@ static void csi_J(struct vc_data *vc, int vpar)
 					      vc->vc_x + 1);
 			}
 			break;
+		case 3: /* erase scroll-back buffer (and whole display) */
+			scr_memsetw(vc->vc_screenbuf, vc->vc_video_erase_char,
+				    vc->vc_screenbuf_size >> 1);
+			set_origin(vc);
+			if (CON_IS_VISIBLE(vc))
+				update_screen(vc);
 		case 2: /* erase whole display */
 			count = vc->vc_cols * vc->vc_rows;
 			start = (unsigned short *)vc->vc_origin;
-- 
1.7.4.4

Re: [PATCH] Clean console safely

[Artem Bityutskiy]

On Wed, 2011-04-13 at 16:32 +0200, Petr Písař wrote:
> Traditional \E[2J sequence erases console display but scroll-back
> buffer and underlying device (frame) buffer keep data that can be
> accessed by scrolling console back.
> 
> This patch introduce new \E[J parameter 3 that allows to scramble
> scroll-back buffer explicitly. Session locking programs (screen,
> vlock) can use it to prevent attacker to browse locked console
> history.
> ---
>  drivers/tty/vt/vt.c |    6 ++++++
>  1 files changed, 6 insertions(+), 0 deletions(-)

You forgot to "Signed-off-by:" it.

-- 
Best Regards,
Artem Bityutskiy (Артём Битюцкий)

[PATCH] Clean console safely

[Petr Písař]

Traditional \E[2J sequence erases console display but scroll-back
buffer and underlying device (frame) buffer keep data that can be
accessed by scrolling console back.

This patch introduce new \E[J parameter 3 that allows to scramble
scroll-back buffer explicitly. Session locking programs (screen,
vlock) can use it to prevent attacker to browse locked console
history.

Signed-off-by: Petr Písař <ppisar@redhat.com>
---
 drivers/tty/vt/vt.c |    6 ++++++
 1 files changed, 6 insertions(+), 0 deletions(-)

diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c
index 4bea1ef..fe96a1f 100644
--- a/drivers/tty/vt/vt.c
+++ b/drivers/tty/vt/vt.c
@@ -1197,6 +1197,12 @@ static void csi_J(struct vc_data *vc, int vpar)
 					      vc->vc_x + 1);
 			}
 			break;
+		case 3: /* erase scroll-back buffer (and whole display) */
+			scr_memsetw(vc->vc_screenbuf, vc->vc_video_erase_char,
+				    vc->vc_screenbuf_size >> 1);
+			set_origin(vc);
+			if (CON_IS_VISIBLE(vc))
+				update_screen(vc);
 		case 2: /* erase whole display */
 			count = vc->vc_cols * vc->vc_rows;
 			start = (unsigned short *)vc->vc_origin;
-- 
1.7.4.4

Re: Clean console safely

[Greg KH]

On Wed, Apr 13, 2011 at 04:32:49PM +0200, Petr Písař wrote:
> Hello,
> 
> I've posted following patch to linux-kernel already and Alan Cox liked it
> (http://thread.gmane.org/gmane.linux.kernel/1117336). I'd like to ask you,
> a TTY maintainer, to apply it to next Linux tree if it's acceptable.

Ok, but care to resend it with a signed-off-by line so that I can apply
it?

thanks,

greg k-h

Re: [PATCH] Clean console safely

[Greg KH]

On Wed, Apr 13, 2011 at 04:54:33PM +0200, Petr Písař wrote:
> Traditional \E[2J sequence erases console display but scroll-back
> buffer and underlying device (frame) buffer keep data that can be
> accessed by scrolling console back.
> 
> This patch introduce new \E[J parameter 3 that allows to scramble
> scroll-back buffer explicitly. Session locking programs (screen,
> vlock) can use it to prevent attacker to browse locked console
> history.

Is this also documented somewhere so that people know about it?

thanks,

greg k-h

Re: [PATCH] Clean console safely

[Chris Ball]

Hi,

On Wed, Apr 13 2011, Petr Písař wrote:
> Traditional \E[2J sequence erases console display but scroll-back
> buffer and underlying device (frame) buffer keep data that can be
> accessed by scrolling console back.
>
> This patch introduce new \E[J parameter 3 that allows to scramble
> scroll-back buffer explicitly. Session locking programs (screen,
> vlock) can use it to prevent attacker to browse locked console
> history.
>
> Signed-off-by: Petr Písař <ppisar@redhat.com>
> ---
>  drivers/tty/vt/vt.c |    6 ++++++
>  1 files changed, 6 insertions(+), 0 deletions(-)
>
> diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c
> index 4bea1ef..fe96a1f 100644
> --- a/drivers/tty/vt/vt.c
> +++ b/drivers/tty/vt/vt.c
> @@ -1197,6 +1197,12 @@ static void csi_J(struct vc_data *vc, int vpar)
>  					      vc->vc_x + 1);
>  			}
>  			break;
> +		case 3: /* erase scroll-back buffer (and whole display) */
> +			scr_memsetw(vc->vc_screenbuf, vc->vc_video_erase_char,
> +				    vc->vc_screenbuf_size >> 1);
> +			set_origin(vc);
> +			if (CON_IS_VISIBLE(vc))
> +				update_screen(vc);
>  		case 2: /* erase whole display */
>  			count = vc->vc_cols * vc->vc_rows;
>  			start = (unsigned short *)vc->vc_origin;

Nitpick: the cases were ordered before -- 3 should go after 2.

- Chris.
-- 
Chris Ball   <cjb@laptop.org>   <http://printf.net/>
One Laptop Per Child

Re: [PATCH] Clean console safely

[Petr Pisar]

On Wed, Apr 13, 2011 at 11:18:04AM -0400, Chris Ball wrote:
> 
> On Wed, Apr 13 2011, Petr Písař wrote:
> > Traditional \E[2J sequence erases console display but scroll-back
> > buffer and underlying device (frame) buffer keep data that can be
> > accessed by scrolling console back.
> >
> > This patch introduce new \E[J parameter 3 that allows to scramble
> > scroll-back buffer explicitly. Session locking programs (screen,
> > vlock) can use it to prevent attacker to browse locked console
> > history.
> >
> > Signed-off-by: Petr Písař <ppisar@redhat.com>
> > ---
> >  drivers/tty/vt/vt.c |    6 ++++++
> >  1 files changed, 6 insertions(+), 0 deletions(-)
> >
> > diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c
> > index 4bea1ef..fe96a1f 100644
> > --- a/drivers/tty/vt/vt.c
> > +++ b/drivers/tty/vt/vt.c
> > @@ -1197,6 +1197,12 @@ static void csi_J(struct vc_data *vc, int vpar)
> >  					      vc->vc_x + 1);
> >  			}
> >  			break;
> > +		case 3: /* erase scroll-back buffer (and whole display) */
> > +			scr_memsetw(vc->vc_screenbuf, vc->vc_video_erase_char,
> > +				    vc->vc_screenbuf_size >> 1);
> > +			set_origin(vc);
> > +			if (CON_IS_VISIBLE(vc))
> > +				update_screen(vc);
> >  		case 2: /* erase whole display */
> >  			count = vc->vc_cols * vc->vc_rows;
> >  			start = (unsigned short *)vc->vc_origin;
> 
> Nitpick: the cases were ordered before -- 3 should go after 2.
> 
This is on purpose to continue with code for case 2 as it prepares variables
for cleaning visible part of display after the switch block.

-- Petr

Re: [PATCH] Clean console safely

[Alexander Stein]

Hi,

On Wednesday 13 April 2011, 17:18:04 Chris Ball wrote:
> On Wed, Apr 13 2011, Petr Písař wrote:
> > Traditional \E[2J sequence erases console display but scroll-back
> > buffer and underlying device (frame) buffer keep data that can be
> > accessed by scrolling console back.
> > 
> > This patch introduce new \E[J parameter 3 that allows to scramble
> > scroll-back buffer explicitly. Session locking programs (screen,
> > vlock) can use it to prevent attacker to browse locked console
> > history.
> > 
> > Signed-off-by: Petr Písař <ppisar@redhat.com>
> > ---
> > 
> >  drivers/tty/vt/vt.c |    6 ++++++
> >  1 files changed, 6 insertions(+), 0 deletions(-)
> > 
> > diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c
> > index 4bea1ef..fe96a1f 100644
> > --- a/drivers/tty/vt/vt.c
> > +++ b/drivers/tty/vt/vt.c
> > @@ -1197,6 +1197,12 @@ static void csi_J(struct vc_data *vc, int vpar)
> > 
> >  					      vc->vc_x + 1);
> >  			
> >  			}
> >  			break;
> > 
> > +		case 3: /* erase scroll-back buffer (and whole display) */
> > +			scr_memsetw(vc->vc_screenbuf, vc->vc_video_erase_char,
> > +				    vc->vc_screenbuf_size >> 1);
> > +			set_origin(vc);
> > +			if (CON_IS_VISIBLE(vc))
> > +				update_screen(vc);
> > 
> >  		case 2: /* erase whole display */
> >  		
> >  			count = vc->vc_cols * vc->vc_rows;
> >  			start = (unsigned short *)vc->vc_origin;
> 
> Nitpick: the cases were ordered before -- 3 should go after 2.

Not if the fall-through is intended.

Alexander

Re: [PATCH] Clean console safely

[Petr Pisar]

On Wed, Apr 13, 2011 at 08:01:13AM -0700, Greg KH wrote:
> On Wed, Apr 13, 2011 at 04:54:33PM +0200, Petr Písař wrote:
> > Traditional \E[2J sequence erases console display but scroll-back
> > buffer and underlying device (frame) buffer keep data that can be
> > accessed by scrolling console back.
> > 
> > This patch introduce new \E[J parameter 3 that allows to scramble
> > scroll-back buffer explicitly. Session locking programs (screen,
> > vlock) can use it to prevent attacker to browse locked console
> > history.
> 
> Is this also documented somewhere so that people know about it?
> 
> 
Not yet as this is fresh feature. I'd like to put few words into
console_codes(4). I guess manual sources are not part of Linux.

-- Petr

Re: [PATCH] Clean console safely

[Chris Ball]

Hi,

On Wed, Apr 13 2011, Petr Pisar wrote:
> On Wed, Apr 13, 2011 at 11:18:04AM -0400, Chris Ball wrote:
>> 
>> On Wed, Apr 13 2011, Petr Písař wrote:
>> > Traditional \E[2J sequence erases console display but scroll-back
>> > buffer and underlying device (frame) buffer keep data that can be
>> > accessed by scrolling console back.
>> >
>> > This patch introduce new \E[J parameter 3 that allows to scramble
>> > scroll-back buffer explicitly. Session locking programs (screen,
>> > vlock) can use it to prevent attacker to browse locked console
>> > history.
>> >
>> > Signed-off-by: Petr Písař <ppisar@redhat.com>
>> > ---
>> >  drivers/tty/vt/vt.c |    6 ++++++
>> >  1 files changed, 6 insertions(+), 0 deletions(-)
>> >
>> > diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c
>> > index 4bea1ef..fe96a1f 100644
>> > --- a/drivers/tty/vt/vt.c
>> > +++ b/drivers/tty/vt/vt.c
>> > @@ -1197,6 +1197,12 @@ static void csi_J(struct vc_data *vc, int vpar)
>> >  					      vc->vc_x + 1);
>> >  			}
>> >  			break;
>> > +		case 3: /* erase scroll-back buffer (and whole display) */
>> > +			scr_memsetw(vc->vc_screenbuf, vc->vc_video_erase_char,
>> > +				    vc->vc_screenbuf_size >> 1);
>> > +			set_origin(vc);
>> > +			if (CON_IS_VISIBLE(vc))
>> > +				update_screen(vc);
>> >  		case 2: /* erase whole display */
>> >  			count = vc->vc_cols * vc->vc_rows;
>> >  			start = (unsigned short *)vc->vc_origin;
>> 
>> Nitpick: the cases were ordered before -- 3 should go after 2.
>> 
> This is on purpose to continue with code for case 2 as it prepares variables
> for cleaning visible part of display after the switch block.

Oops, sorry; I saw an imaginary break statement there.

- Chris.
-- 
Chris Ball   <cjb@laptop.org>   <http://printf.net/>
One Laptop Per Child

Re: [PATCH] Clean console safely

[Greg KH]

On Wed, Apr 13, 2011 at 05:33:59PM +0200, Petr Pisar wrote:
> On Wed, Apr 13, 2011 at 08:01:13AM -0700, Greg KH wrote:
> > On Wed, Apr 13, 2011 at 04:54:33PM +0200, Petr Písař wrote:
> > > Traditional \E[2J sequence erases console display but scroll-back
> > > buffer and underlying device (frame) buffer keep data that can be
> > > accessed by scrolling console back.
> > > 
> > > This patch introduce new \E[J parameter 3 that allows to scramble
> > > scroll-back buffer explicitly. Session locking programs (screen,
> > > vlock) can use it to prevent attacker to browse locked console
> > > history.
> > 
> > Is this also documented somewhere so that people know about it?
> > 
> > 
> Not yet as this is fresh feature. I'd like to put few words into
> console_codes(4). I guess manual sources are not part of Linux.

No they are not, they have their own maintainer and release schedule.

thanks,

greg k-h

RE: [PATCH] Clean console safely

[Daniel Taylor]

 

> -----Original Message-----
> From: linux-kernel-owner@vger.kernel.org 
> [mailto:linux-kernel-owner@vger.kernel.org] On Behalf Of Chris Ball
> Sent: Wednesday, April 13, 2011 8:45 AM
> To: Greg Kroah-Hartman
> Cc: Alan Cox; linux-kernel@vger.kernel.org; Artem Bityutskiy
> Subject: Re: [PATCH] Clean console safely
> 
> Hi,
> 
> On Wed, Apr 13 2011, Petr Pisar wrote:
> > On Wed, Apr 13, 2011 at 11:18:04AM -0400, Chris Ball wrote:
> >> 
> >> On Wed, Apr 13 2011, Petr Písař wrote:
> >> > Traditional \E[2J sequence erases console display but scroll-back
> >> > buffer and underlying device (frame) buffer keep data that can be
> >> > accessed by scrolling console back.
> >> >
> >> > This patch introduce new \E[J parameter 3 that allows to scramble
> >> > scroll-back buffer explicitly. Session locking programs (screen,
> >> > vlock) can use it to prevent attacker to browse locked console
> >> > history.
> >> >
> >> > Signed-off-by: Petr Písař <ppisar@redhat.com>
> >> > ---
> >> >  drivers/tty/vt/vt.c |    6 ++++++
> >> >  1 files changed, 6 insertions(+), 0 deletions(-)
> >> >
> >> > diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c
> >> > index 4bea1ef..fe96a1f 100644
> >> > --- a/drivers/tty/vt/vt.c
> >> > +++ b/drivers/tty/vt/vt.c
> >> > @@ -1197,6 +1197,12 @@ static void csi_J(struct vc_data 
> *vc, int vpar)
> >> >  					      vc->vc_x + 1);
> >> >  			}
> >> >  			break;
> >> > +		case 3: /* erase scroll-back buffer 
> (and whole display) */
> >> > +			scr_memsetw(vc->vc_screenbuf, 
> vc->vc_video_erase_char,
> >> > +				    vc->vc_screenbuf_size >> 1);
> >> > +			set_origin(vc);
> >> > +			if (CON_IS_VISIBLE(vc))
> >> > +				update_screen(vc);
> >> >  		case 2: /* erase whole display */
> >> >  			count = vc->vc_cols * vc->vc_rows;
> >> >  			start = (unsigned short *)vc->vc_origin;
> >> 
> >> Nitpick: the cases were ordered before -- 3 should go after 2.
> >> 
> > This is on purpose to continue with code for case 2 as it 
> prepares variables
> > for cleaning visible part of display after the switch block.
> 
> Oops, sorry; I saw an imaginary break statement there.

Shouldn't there be a "/* fall through */", or similar, comment,
or all of the existing ones in the kernel extraneous?  Personally,
I prefer to see clearly that the missing "break" is intentional.

> 
> - Chris.
> -- 
> Chris Ball   <cjb@laptop.org>   <http://printf.net/>
> One Laptop Per Child
> --
> To unsubscribe from this list: send the line "unsubscribe 
> linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/
> 

[PATCH] Clean console safely

[Petr Písař]

Traditional \E[2J sequence erases console display but scroll-back
buffer and underlying device (frame) buffer keep data that can be
accessed by scrolling console back.

This patch introduce new \E[J parameter 3 that allows to scramble
scroll-back buffer explicitly. Session locking programs (screen,
vlock) can use it to prevent attacker to browse locked console
history.

Signed-off-by: Petr Písař <ppisar@redhat.com>
---
 drivers/tty/vt/vt.c |    7 +++++++
 1 files changed, 7 insertions(+), 0 deletions(-)

diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c
index 4bea1ef..cb661ca 100644
--- a/drivers/tty/vt/vt.c
+++ b/drivers/tty/vt/vt.c
@@ -1197,6 +1197,13 @@ static void csi_J(struct vc_data *vc, int vpar)
 					      vc->vc_x + 1);
 			}
 			break;
+		case 3: /* erase scroll-back buffer (and whole display) */
+			scr_memsetw(vc->vc_screenbuf, vc->vc_video_erase_char,
+				    vc->vc_screenbuf_size >> 1);
+			set_origin(vc);
+			if (CON_IS_VISIBLE(vc))
+				update_screen(vc);
+			/* fall through */
 		case 2: /* erase whole display */
 			count = vc->vc_cols * vc->vc_rows;
 			start = (unsigned short *)vc->vc_origin;
-- 
1.7.4.4

Re: [PATCH] Clean console safely

[Jiri Slaby]

On 04/15/2011, 10:08 AM, Petr Písař wrote:
> Traditional \E[2J sequence erases console display but scroll-back
> buffer and underlying device (frame) buffer keep data that can be
> accessed by scrolling console back.
> 
> This patch introduce new \E[J parameter 3 that allows to scramble
> scroll-back buffer explicitly. Session locking programs (screen,
> vlock) can use it to prevent attacker to browse locked console
> history.
> 
> Signed-off-by: Petr Písař <ppisar@redhat.com>
> ---
>  drivers/tty/vt/vt.c |    7 +++++++
>  1 files changed, 7 insertions(+), 0 deletions(-)
> 
> diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c
> index 4bea1ef..cb661ca 100644
> --- a/drivers/tty/vt/vt.c
> +++ b/drivers/tty/vt/vt.c
> @@ -1197,6 +1197,13 @@ static void csi_J(struct vc_data *vc, int vpar)
>  					      vc->vc_x + 1);
>  			}
>  			break;
> +		case 3: /* erase scroll-back buffer (and whole display) */
> +			scr_memsetw(vc->vc_screenbuf, vc->vc_video_erase_char,
> +				    vc->vc_screenbuf_size >> 1);

Why is here the division? I suppose this is superfluous, given
scr_memsetw proper divides the size, hm?

> +			set_origin(vc);
> +			if (CON_IS_VISIBLE(vc))
> +				update_screen(vc);
> +			/* fall through */
>  		case 2: /* erase whole display */
>  			count = vc->vc_cols * vc->vc_rows;
>  			start = (unsigned short *)vc->vc_origin;
> 


-- 
js