All of lore.kernel.org
 help / color / mirror / Atom feed
From: "Theodore Ts'o" <tytso@mit.edu>
To: Peter Hurley <peter@hurleysoftware.com>
Cc: Howard Chu <hyc@symas.com>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	One Thousand Gnomes <gnomes@lxorguk.ukuu.org.uk>,
	Jiri Slaby <jslaby@suse.cz>,
	Linux Kernel Mailing List <Linux-Kernel@vger.kernel.org>,
	linux-serial@vger.kernel.org
Subject: Re: [PATCH] n_tty: Remove LINEMODE support
Date: Mon, 19 Jan 2015 11:37:03 -0500	[thread overview]
Message-ID: <20150119163703.GA23605@thunk.org> (raw)
In-Reply-To: <54BD1B53.9030901@hurleysoftware.com>

On Mon, Jan 19, 2015 at 09:57:23AM -0500, Peter Hurley wrote:
> 
> This reader set EOL2 to DISABLED_CHAR earlier, and left EOL unchanged.
> I have seen userspace code that expects a line to be no longer than 4096 chars.

Userspace code that does this is going to be very fragile.  Input from
the tty really should be considered completely untrustworthy.  For
example, what if, while the tty is in canonical (ICANON) mode, an
attacker sets PARMRK and clears IGNPAR, IGNBRK, and BRKINT on the tty
and then proceeds to send a large number of breaks or parity errors
down the tty?  That will certainly cause a buffer overflow of said
userspace process.  So if there is *any* setuid program which isn't
defensively checking for buffer overruns it's kind of screwed anyway.

> >> 4. ioctl(TIOCSIG) can send _any_ signal to a different process without
> >>     permission checks. That's not good.
> > 
> > It can only send to the pty slave. Permissions were already checked when the pty master was opened.
> 
> Still not ok.

Interestingly, TIOCSIG is supported by FreeBSD *and* OpenBSD, and
without any kind of checks.  That being said, I can certainly think of
potential security threats that could happen if a malicious program
were to run a setuid program (say, /bin/passwd) under a pty, and then
proceeded to send it a one or more of non-trappable signals -- for
example, either SIGKILL or SIGSTOP -- to either widen the window for a
race condition, or to kill a setuid program at a particularly
inconvenient time.

It might be interesting to see if someone could figure out an attack
that utilized this ioctl, and then demonstrated it on OpenBSD.  :-)

> > What further checks do you think are needed? You think it should
> > be limited to tty-specific signals: INT, QUIT, CONT, TSTP, TTIN,
> > TTOU, WINCH?

Definitely, and we should do this sooner rather than later IMHO.
Preferably before someone figures out whether or not it's possible to
attack OpenBSD and FreeBSD using this ioctl, and requests a CVE.  :-)

	    	   	     	  	 	     - Ted

  parent reply	other threads:[~2015-01-19 16:37 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-01-18 21:30 [PATCH] n_tty: Remove LINEMODE support Peter Hurley
2015-01-18 22:09 ` Howard Chu
2015-01-18 22:22   ` Peter Hurley
2015-01-18 22:44     ` Howard Chu
2015-01-18 23:06       ` Peter Hurley
2015-01-19  4:55         ` Theodore Ts'o
2015-01-19 16:34           ` Peter Hurley
     [not found] ` <54BC3771.7030204@symas.com>
     [not found]   ` <54BC5EC7.1090202@hurleysoftware.com>
2015-01-19 12:46     ` Howard Chu
2015-01-19 14:57       ` Peter Hurley
2015-01-19 16:36         ` Howard Chu
2015-01-19 19:09           ` Peter Hurley
2015-01-19 19:43             ` Howard Chu
2015-01-20 18:02               ` Peter Hurley
2015-01-20 18:39                 ` Howard Chu
2015-01-20 18:51                   ` Howard Chu
2015-01-20 19:08                   ` Peter Hurley
2015-01-20 18:16               ` Peter Hurley
2015-01-19 20:31             ` Howard Chu
2015-01-20 14:53               ` Peter Hurley
2015-01-20 17:20                 ` Peter Hurley
2015-01-19 19:40           ` Peter Hurley
2015-01-19 16:37         ` Theodore Ts'o [this message]
2015-01-19 17:26           ` Peter Hurley

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20150119163703.GA23605@thunk.org \
    --to=tytso@mit.edu \
    --cc=Linux-Kernel@vger.kernel.org \
    --cc=gnomes@lxorguk.ukuu.org.uk \
    --cc=gregkh@linuxfoundation.org \
    --cc=hyc@symas.com \
    --cc=jslaby@suse.cz \
    --cc=linux-serial@vger.kernel.org \
    --cc=peter@hurleysoftware.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.