Re: s/party/hack like it's 1999

[Greg KH <greg () kroah com>]

On Mon, Sep 21, 2015 at 04:43:46PM +0000, David Holland wrote:
> On Sun, Sep 20, 2015 at 06:26:31AM +0300, Solar Designer wrote:
>  > > Note that all that was needed for this to happen was for a stray C2
>  > > byte from one writer to get injected just before the character-final
>  > > 9B byte of a multibyte character from another writer. I specifically
>  > > chose my example so that both writers output data which is well-formed
>  > > and printable UTF-8, but that was not necessary.
>  > > 
>  > > Since I see no reasonable application-side mitigation for this, I
>  > 
>  > Yeah.  A user's mitigation may be to avoid running multiple programs at
>  > a time on a UTF-8 terminal.  E.g. running "ps &" appears unsafe
>  > (although is indeed unlikely to actually be used in a successful
>  > attack), even if "ps" replaces control characters with question marks.
>
> I have been arguing for years (but without success) that vt bomb
> injection needs to be blocked in the tty driver. This problem
> (corruption of concurrent UTF-8 streams) needs to be too, as a matter
> of correctness and not even security.

How exactly would a tty driver "block" anything like this?  A tty driver
never looks at the data stream in the kernel, as that way lies
madness...

thanks,

greg k-h