[Security] Should open TTY device files pin minor numbers?

[Security] Should open TTY device files pin minor numbers?

[Alan Stern]

Recent work in the TTY core and in usb-serial has caused a change 
in behavior between 2.6.30 and 2.6.31-rc.  Namely, if a USB serial 
device is unplugged while a process holds the device file open, the 
minor number won't get reused until the process closes the file.

For example, if you run minicom over /dev/ttyUSB0, unplug the USB
device while minicom is running, and then plug it in again before
exiting minicom, it will reappear as /dev/ttyUSB1 instead of
/dev/ttyUSB0 (which will be gone).

Although this sort of behavior is very common in other subsystems,
users don't expect it of serial devices.  So I posted a patch to change
the behavior: usb-serial will release the device's minor number when
the disconnect occurs instead of waiting for all the open file
references to be closed.

There have been objections to this patch, based on security
considerations.  Reuse of the minor number means that there is a race.  
For a brief time after the device is removed, the device node will
remain in the file system.  If a new device appears during that time
and is assigned the same minor number, a process could open the new
device via the old node, subject only to the permissions checks meant 
for the old device.

Of course, this race is not new.  The same race is present even without
my patch, if the device is unplugged while the device file is not open.  
Maybe it's a little more likely to occur with the patch, since the
opportunity will be there whether the file is open or not.

So, should the patch be accepted?  I don't think it raises any undue 
risk, but other people might disagree.

And if the patch is not accepted then shouldn't the TTY drivers be
changed to avoid reusing minor numbers in all cases, even when the
device file isn't open?  Or at a minimum, shouldn't usb-serial do this?

Alan Stern

Re: [Security] Should open TTY device files pin minor numbers?

[Greg KH]

On Thu, Jul 23, 2009 at 02:38:01PM -0400, Alan Stern wrote:
> Recent work in the TTY core and in usb-serial has caused a change 
> in behavior between 2.6.30 and 2.6.31-rc.  Namely, if a USB serial 
> device is unplugged while a process holds the device file open, the 
> minor number won't get reused until the process closes the file.

That's how the usb-serial code always worked, this is nothing new at
all.

> For example, if you run minicom over /dev/ttyUSB0, unplug the USB
> device while minicom is running, and then plug it in again before
> exiting minicom, it will reappear as /dev/ttyUSB1 instead of
> /dev/ttyUSB0 (which will be gone).

Exactly.  People are used to this by now, it shouldn't be a supprise :)

thanks,

greg k-h

Re: [Security] Should open TTY device files pin minor numbers?

[H. Peter Anvin]

On 07/24/2009 10:14 PM, Greg KH wrote:
> On Thu, Jul 23, 2009 at 02:38:01PM -0400, Alan Stern wrote:
>> Recent work in the TTY core and in usb-serial has caused a change 
>> in behavior between 2.6.30 and 2.6.31-rc.  Namely, if a USB serial 
>> device is unplugged while a process holds the device file open, the 
>> minor number won't get reused until the process closes the file.
> 
> That's how the usb-serial code always worked, this is nothing new at
> all.
> 
>> For example, if you run minicom over /dev/ttyUSB0, unplug the USB
>> device while minicom is running, and then plug it in again before
>> exiting minicom, it will reappear as /dev/ttyUSB1 instead of
>> /dev/ttyUSB0 (which will be gone).
> 
> Exactly.  People are used to this by now, it shouldn't be a supprise :)
> 

It is, however, a *very* nasty surprise when the USB bus glitches.

	-hpa

Re: [Security] Should open TTY device files pin minor numbers?

[david]

On Wed, 29 Jul 2009, H. Peter Anvin wrote:

> On 07/24/2009 10:14 PM, Greg KH wrote:
>> On Thu, Jul 23, 2009 at 02:38:01PM -0400, Alan Stern wrote:
>>> Recent work in the TTY core and in usb-serial has caused a change
>>> in behavior between 2.6.30 and 2.6.31-rc.  Namely, if a USB serial
>>> device is unplugged while a process holds the device file open, the
>>> minor number won't get reused until the process closes the file.
>>
>> That's how the usb-serial code always worked, this is nothing new at
>> all.
>>
>>> For example, if you run minicom over /dev/ttyUSB0, unplug the USB
>>> device while minicom is running, and then plug it in again before
>>> exiting minicom, it will reappear as /dev/ttyUSB1 instead of
>>> /dev/ttyUSB0 (which will be gone).
>>
>> Exactly.  People are used to this by now, it shouldn't be a supprise :)
>>
>
> It is, however, a *very* nasty surprise when the USB bus glitches.

however since the serial adapters will be re-detected in a random order 
it's less nasty than cross-connecting devices and applications silently.

David Lang