kernel-hardening.lists.openwall.com archive mirror
 help / color / mirror / Atom feed
* [PATCH v2 0/1] Restrict access to TIOCLINUX
@ 2023-08-28 12:21 Günther Noack
  2023-08-28 12:21 ` [PATCH v2 1/1] tty: Restrict access to TIOCLINUX' copy-and-paste subcommands Günther Noack
  0 siblings, 1 reply; 4+ messages in thread
From: Günther Noack @ 2023-08-28 12:21 UTC (permalink / raw)
  To: Greg KH
  Cc: Hanno Böck, kernel-hardening, Kees Cook, Jiri Slaby,
	Geert Uytterhoeven, Paul Moore, Samuel Thibault, David Laight,
	Simon Brand, Dave Mielke, Mickaël Salaün, KP Singh,
	Nico Schottelius, Günther Noack

Hello!

This is a re-send of a patch by Hanno Böck from 2023-04-02 [1], to restrict the
use of the copy-and-paste functionality in the TIOCLINUX IOCTL.

These copy-and-paste operations can be misused in the same way as the TIOCSTI
IOCTL, which can be disabled with a CONFIG option, since commit 83efeeeb3d04
("tty: Allow TIOCSTI to be disabled") and commit 690c8b804ad2 ("TIOCSTI: always
enable for CAP_SYS_ADMIN").  With this option set to N, the use of TIOCSTI
requires CAP_SYS_ADMIN.

We believe that it should be OK to not make this configurable: For TIOCLINUX's
copy-and-paste subcommands, the only known usage so far is GPM.  I have
personally verified that this continues to work, as GPM runs as root.

The number of affected programs should be much lower than it was the case for
TIOCSTI (as TIOCLINUX only applies to virtual terminals), and even in the
TIOCLINUX case, only a handful of legitimate use cases were mentioned.  (BRLTTY,
tcsh, Emacs, special versions of "mail").  I have high confidence that GPM is
the only existing usage of that copy-and-paste feature.

(If configurability is really required, the way to be absolutely sure would be
to introduce a CONFIG option for it as well -- but it would be a pretty obscure
option to have, but we can do that if needed.)

Changes in v2:
 - Rebased to Linux v6.5
 - Reworded commit message a bit
 - Added Tested-By

[1] https://lore.kernel.org/all/20230402160815.74760f87.hanno@hboeck.de/

Hanno Böck (1):
  tty: Restrict access to TIOCLINUX' copy-and-paste subcommands

 drivers/tty/vt/vt.c | 6 ++++++
 1 file changed, 6 insertions(+)


base-commit: 2dde18cd1d8fac735875f2e4987f11817cc0bc2c
-- 
2.42.0.rc2.253.gd59a3bf2b4-goog


^ permalink raw reply	[flat|nested] 4+ messages in thread
* [PATCH v2 1/1] tty: Restrict access to TIOCLINUX' copy-and-paste subcommands
  2023-08-28 12:21 [PATCH v2 0/1] Restrict access to TIOCLINUX Günther Noack
@ 2023-08-28 12:21 ` Günther Noack
  2023-08-28 14:48   ` Greg KH
  0 siblings, 1 reply; 4+ messages in thread
From: Günther Noack @ 2023-08-28 12:21 UTC (permalink / raw)
  To: Greg KH
  Cc: Hanno Böck, kernel-hardening, Kees Cook, Jiri Slaby,
	Geert Uytterhoeven, Paul Moore, Samuel Thibault, David Laight,
	Simon Brand, Dave Mielke, Mickaël Salaün, KP Singh,
	Nico Schottelius, Günther Noack

From: Hanno Böck <hanno@hboeck.de>

TIOCLINUX can be used for privilege escalation on virtual terminals when
code is executed via tools like su/sudo and sandboxing tools.

By abusing the selection features, a lower-privileged application can
write content to the console, select and copy/paste that content and
thereby executing code on the privileged account. See also the poc
here:

  https://www.openwall.com/lists/oss-security/2023/03/14/3

Selection is usually used by tools like gpm that provide mouse features
on the virtual console. gpm already runs as root (due to earlier
changes that restrict access to a user on the current TTY), therefore
it will still work with this change.

With this change, the following TIOCLINUX subcommands require
CAP_SYS_ADMIN:

 * TIOCL_SETSEL - setting the selected region on the terminal
 * TIOCL_PASTESEL - pasting the contents of the selected region into
   the input buffer
 * TIOCL_SELLOADLUT - changing word-by-word selection behaviour

The security problem mitigated is similar to the security risks caused
by TIOCSTI, which, since kernel 6.2, can be disabled with
CONFIG_LEGACY_TIOCSTI=n.

Signed-off-by: Hanno Böck <hanno@hboeck.de>
Tested-by: Günther Noack <gnoack@google.com>
---
 drivers/tty/vt/vt.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c
index 1e8e57b45688..1eb30ed1118d 100644
--- a/drivers/tty/vt/vt.c
+++ b/drivers/tty/vt/vt.c
@@ -3156,9 +3156,13 @@ int tioclinux(struct tty_struct *tty, unsigned long arg)
 
 	switch (type) {
 	case TIOCL_SETSEL:
+		if (!capable(CAP_SYS_ADMIN))
+			return -EPERM;
 		return set_selection_user((struct tiocl_selection
 					 __user *)(p+1), tty);
 	case TIOCL_PASTESEL:
+		if (!capable(CAP_SYS_ADMIN))
+			return -EPERM;
 		return paste_selection(tty);
 	case TIOCL_UNBLANKSCREEN:
 		console_lock();
@@ -3166,6 +3170,8 @@ int tioclinux(struct tty_struct *tty, unsigned long arg)
 		console_unlock();
 		break;
 	case TIOCL_SELLOADLUT:
+		if (!capable(CAP_SYS_ADMIN))
+			return -EPERM;
 		console_lock();
 		ret = sel_loadlut(p);
 		console_unlock();
-- 
2.42.0.rc2.253.gd59a3bf2b4-goog


^ permalink raw reply related	[flat|nested] 4+ messages in thread
* Re: [PATCH v2 1/1] tty: Restrict access to TIOCLINUX' copy-and-paste subcommands
  2023-08-28 12:21 ` [PATCH v2 1/1] tty: Restrict access to TIOCLINUX' copy-and-paste subcommands Günther Noack
@ 2023-08-28 14:48   ` Greg KH
  2023-08-28 16:42     ` Günther Noack
  0 siblings, 1 reply; 4+ messages in thread
From: Greg KH @ 2023-08-28 14:48 UTC (permalink / raw)
  To: Günther Noack
  Cc: Hanno Böck, kernel-hardening, Kees Cook, Jiri Slaby,
	Geert Uytterhoeven, Paul Moore, Samuel Thibault, David Laight,
	Simon Brand, Dave Mielke, Mickaël Salaün, KP Singh,
	Nico Schottelius

On Mon, Aug 28, 2023 at 02:21:09PM +0200, Günther Noack wrote:
> From: Hanno Böck <hanno@hboeck.de>
> 
> TIOCLINUX can be used for privilege escalation on virtual terminals when
> code is executed via tools like su/sudo and sandboxing tools.
> 
> By abusing the selection features, a lower-privileged application can
> write content to the console, select and copy/paste that content and
> thereby executing code on the privileged account. See also the poc
> here:
> 
>   https://www.openwall.com/lists/oss-security/2023/03/14/3
> 
> Selection is usually used by tools like gpm that provide mouse features
> on the virtual console. gpm already runs as root (due to earlier
> changes that restrict access to a user on the current TTY), therefore
> it will still work with this change.
> 
> With this change, the following TIOCLINUX subcommands require
> CAP_SYS_ADMIN:
> 
>  * TIOCL_SETSEL - setting the selected region on the terminal
>  * TIOCL_PASTESEL - pasting the contents of the selected region into
>    the input buffer
>  * TIOCL_SELLOADLUT - changing word-by-word selection behaviour
> 
> The security problem mitigated is similar to the security risks caused
> by TIOCSTI, which, since kernel 6.2, can be disabled with
> CONFIG_LEGACY_TIOCSTI=n.
> 
> Signed-off-by: Hanno Böck <hanno@hboeck.de>
> Tested-by: Günther Noack <gnoack@google.com>

When you pass on a patch like this, you too need to sign off on it as
per the instructions in the DCO.  I'm pretty sure the Google open source
training also says that, but maybe not.  If not, it should :)

thanks,

greg k-h

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [PATCH v2 1/1] tty: Restrict access to TIOCLINUX' copy-and-paste subcommands
  2023-08-28 14:48   ` Greg KH
@ 2023-08-28 16:42     ` Günther Noack
  0 siblings, 0 replies; 4+ messages in thread
From: Günther Noack @ 2023-08-28 16:42 UTC (permalink / raw)
  To: Greg KH
  Cc: Hanno Böck, kernel-hardening, Kees Cook, Jiri Slaby,
	Geert Uytterhoeven, Paul Moore, Samuel Thibault, David Laight,
	Simon Brand, Dave Mielke, Mickaël Salaün, KP Singh,
	Nico Schottelius

On Mon, Aug 28, 2023 at 04:48:28PM +0200, Greg KH wrote:
> On Mon, Aug 28, 2023 at 02:21:09PM +0200, Günther Noack wrote:
> > Signed-off-by: Hanno Böck <hanno@hboeck.de>
> > Tested-by: Günther Noack <gnoack@google.com>
> 
> When you pass on a patch like this, you too need to sign off on it as
> per the instructions in the DCO.  I'm pretty sure the Google open source
> training also says that, but maybe not.  If not, it should :)

Ah sorry -- fixed and re-sent.

—Günther

-- 
Sent using Mutt 🐕 Woof Woof

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2023-08-28 18:07 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-08-28 12:21 [PATCH v2 0/1] Restrict access to TIOCLINUX Günther Noack
2023-08-28 12:21 ` [PATCH v2 1/1] tty: Restrict access to TIOCLINUX' copy-and-paste subcommands Günther Noack
2023-08-28 14:48   ` Greg KH
2023-08-28 16:42     ` Günther Noack

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).