From: Peter Hurley <peter@hurleysoftware.com>
To: "Theodore Ts'o" <tytso@mit.edu>, Howard Chu <hyc@symas.com>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
One Thousand Gnomes <gnomes@lxorguk.ukuu.org.uk>,
Jiri Slaby <jslaby@suse.cz>,
Linux Kernel Mailing List <Linux-Kernel@vger.kernel.org>,
linux-serial@vger.kernel.org
Subject: Re: [PATCH] n_tty: Remove LINEMODE support
Date: Mon, 19 Jan 2015 12:26:02 -0500 [thread overview]
Message-ID: <54BD3E2A.9040401@hurleysoftware.com> (raw)
In-Reply-To: <20150119163703.GA23605@thunk.org>
On 01/19/2015 11:37 AM, Theodore Ts'o wrote:
> On Mon, Jan 19, 2015 at 09:57:23AM -0500, Peter Hurley wrote:
>>
>> This reader set EOL2 to DISABLED_CHAR earlier, and left EOL unchanged.
>> I have seen userspace code that expects a line to be no longer than 4096 chars.
>
> Userspace code that does this is going to be very fragile. Input from
> the tty really should be considered completely untrustworthy.
Should and do are different modal verbs.
> For example, what if, while the tty is in canonical (ICANON) mode, an
> attacker sets PARMRK and clears IGNPAR, IGNBRK, and BRKINT on the tty
> and then proceeds to send a large number of breaks or parity errors
> down the tty?
The input path limits _all_ canonical lines to 4096 chars. Input beyond that
is discarded until a newline is received. I know this because I broke it
and just recently fixed it.
> That will certainly cause a buffer overflow of said
> userspace process. So if there is *any* setuid program which isn't
> defensively checking for buffer overruns it's kind of screwed anyway.
>
>>>> 4. ioctl(TIOCSIG) can send _any_ signal to a different process without
>>>> permission checks. That's not good.
>>>
>>> It can only send to the pty slave. Permissions were already checked when the pty master was opened.
>>
>> Still not ok.
>
> Interestingly, TIOCSIG is supported by FreeBSD *and* OpenBSD, and
> without any kind of checks. That being said, I can certainly think of
> potential security threats that could happen if a malicious program
> were to run a setuid program (say, /bin/passwd) under a pty, and then
> proceeded to send it a one or more of non-trappable signals -- for
> example, either SIGKILL or SIGSTOP -- to either widen the window for a
> race condition, or to kill a setuid program at a particularly
> inconvenient time.
I hadn't considered that possibility.
> It might be interesting to see if someone could figure out an attack
> that utilized this ioctl, and then demonstrated it on OpenBSD. :-)
I don't need that reputation :)
>>> What further checks do you think are needed? You think it should
>>> be limited to tty-specific signals: INT, QUIT, CONT, TSTP, TTIN,
>>> TTOU, WINCH?
>
> Definitely, and we should do this sooner rather than later IMHO.
> Preferably before someone figures out whether or not it's possible to
> attack OpenBSD and FreeBSD using this ioctl, and requests a CVE. :-)
I'm on it.
Regards,
Peter Hurley
prev parent reply other threads:[~2015-01-19 17:26 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-01-18 21:30 [PATCH] n_tty: Remove LINEMODE support Peter Hurley
2015-01-18 22:09 ` Howard Chu
2015-01-18 22:22 ` Peter Hurley
2015-01-18 22:44 ` Howard Chu
2015-01-18 23:06 ` Peter Hurley
2015-01-19 4:55 ` Theodore Ts'o
2015-01-19 16:34 ` Peter Hurley
[not found] ` <54BC3771.7030204@symas.com>
[not found] ` <54BC5EC7.1090202@hurleysoftware.com>
2015-01-19 12:46 ` Howard Chu
2015-01-19 14:57 ` Peter Hurley
2015-01-19 16:36 ` Howard Chu
2015-01-19 19:09 ` Peter Hurley
2015-01-19 19:43 ` Howard Chu
2015-01-20 18:02 ` Peter Hurley
2015-01-20 18:39 ` Howard Chu
2015-01-20 18:51 ` Howard Chu
2015-01-20 19:08 ` Peter Hurley
2015-01-20 18:16 ` Peter Hurley
2015-01-19 20:31 ` Howard Chu
2015-01-20 14:53 ` Peter Hurley
2015-01-20 17:20 ` Peter Hurley
2015-01-19 19:40 ` Peter Hurley
2015-01-19 16:37 ` Theodore Ts'o
2015-01-19 17:26 ` Peter Hurley [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=54BD3E2A.9040401@hurleysoftware.com \
--to=peter@hurleysoftware.com \
--cc=Linux-Kernel@vger.kernel.org \
--cc=gnomes@lxorguk.ukuu.org.uk \
--cc=gregkh@linuxfoundation.org \
--cc=hyc@symas.com \
--cc=jslaby@suse.cz \
--cc=linux-serial@vger.kernel.org \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).