All of lore.kernel.org
 help / color / mirror / Atom feed
From: Peter Hurley <peter@hurleysoftware.com>
To: "Theodore Ts'o" <tytso@mit.edu>, Howard Chu <hyc@symas.com>,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	One Thousand Gnomes <gnomes@lxorguk.ukuu.org.uk>,
	Jiri Slaby <jslaby@suse.cz>,
	Linux Kernel Mailing List <Linux-Kernel@vger.kernel.org>,
	linux-serial@vger.kernel.org
Subject: Re: [PATCH] n_tty: Remove LINEMODE support
Date: Mon, 19 Jan 2015 12:26:02 -0500	[thread overview]
Message-ID: <54BD3E2A.9040401@hurleysoftware.com> (raw)
In-Reply-To: <20150119163703.GA23605@thunk.org>

On 01/19/2015 11:37 AM, Theodore Ts'o wrote:
> On Mon, Jan 19, 2015 at 09:57:23AM -0500, Peter Hurley wrote:
>>
>> This reader set EOL2 to DISABLED_CHAR earlier, and left EOL unchanged.
>> I have seen userspace code that expects a line to be no longer than 4096 chars.
> 
> Userspace code that does this is going to be very fragile.  Input from
> the tty really should be considered completely untrustworthy.

Should and do are different modal verbs.

> For example, what if, while the tty is in canonical (ICANON) mode, an
> attacker sets PARMRK and clears IGNPAR, IGNBRK, and BRKINT on the tty
> and then proceeds to send a large number of breaks or parity errors
> down the tty?

The input path limits _all_ canonical lines to 4096 chars. Input beyond that
is discarded until a newline is received. I know this because I broke it
and just recently fixed it.

> That will certainly cause a buffer overflow of said
> userspace process.  So if there is *any* setuid program which isn't
> defensively checking for buffer overruns it's kind of screwed anyway.
> 
>>>> 4. ioctl(TIOCSIG) can send _any_ signal to a different process without
>>>>     permission checks. That's not good.
>>>
>>> It can only send to the pty slave. Permissions were already checked when the pty master was opened.
>>
>> Still not ok.
> 
> Interestingly, TIOCSIG is supported by FreeBSD *and* OpenBSD, and
> without any kind of checks.  That being said, I can certainly think of
> potential security threats that could happen if a malicious program
> were to run a setuid program (say, /bin/passwd) under a pty, and then
> proceeded to send it a one or more of non-trappable signals -- for
> example, either SIGKILL or SIGSTOP -- to either widen the window for a
> race condition, or to kill a setuid program at a particularly
> inconvenient time.

I hadn't considered that possibility.

> It might be interesting to see if someone could figure out an attack
> that utilized this ioctl, and then demonstrated it on OpenBSD.  :-)

I don't need that reputation :)

>>> What further checks do you think are needed? You think it should
>>> be limited to tty-specific signals: INT, QUIT, CONT, TSTP, TTIN,
>>> TTOU, WINCH?
> 
> Definitely, and we should do this sooner rather than later IMHO.
> Preferably before someone figures out whether or not it's possible to
> attack OpenBSD and FreeBSD using this ioctl, and requests a CVE.  :-)

I'm on it.

Regards,
Peter Hurley

      reply	other threads:[~2015-01-19 17:26 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-01-18 21:30 [PATCH] n_tty: Remove LINEMODE support Peter Hurley
2015-01-18 22:09 ` Howard Chu
2015-01-18 22:22   ` Peter Hurley
2015-01-18 22:44     ` Howard Chu
2015-01-18 23:06       ` Peter Hurley
2015-01-19  4:55         ` Theodore Ts'o
2015-01-19 16:34           ` Peter Hurley
     [not found] ` <54BC3771.7030204@symas.com>
     [not found]   ` <54BC5EC7.1090202@hurleysoftware.com>
2015-01-19 12:46     ` Howard Chu
2015-01-19 14:57       ` Peter Hurley
2015-01-19 16:36         ` Howard Chu
2015-01-19 19:09           ` Peter Hurley
2015-01-19 19:43             ` Howard Chu
2015-01-20 18:02               ` Peter Hurley
2015-01-20 18:39                 ` Howard Chu
2015-01-20 18:51                   ` Howard Chu
2015-01-20 19:08                   ` Peter Hurley
2015-01-20 18:16               ` Peter Hurley
2015-01-19 20:31             ` Howard Chu
2015-01-20 14:53               ` Peter Hurley
2015-01-20 17:20                 ` Peter Hurley
2015-01-19 19:40           ` Peter Hurley
2015-01-19 16:37         ` Theodore Ts'o
2015-01-19 17:26           ` Peter Hurley [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=54BD3E2A.9040401@hurleysoftware.com \
    --to=peter@hurleysoftware.com \
    --cc=Linux-Kernel@vger.kernel.org \
    --cc=gnomes@lxorguk.ukuu.org.uk \
    --cc=gregkh@linuxfoundation.org \
    --cc=hyc@symas.com \
    --cc=jslaby@suse.cz \
    --cc=linux-serial@vger.kernel.org \
    --cc=tytso@mit.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.