oss-sec mailing list archives

Re: TTY pushback vulnerabilities / TIOCSTI

From: Jakub Wilk <jwilk () jwilk net>
Date: Fri, 17 Mar 2023 20:41:02 +0100

* Hanno Böck <hanno () hboeck de>, 2023-03-17 11:48:

Jakub Wilk <jwilk () jwilk net> wrote:
On Linux virtual terminals, it's possible to achieve pretty much thesame effect using TIOCLINUX, the ioctl used by gpm to implementcopy&pasting.

[...]

Given this works only on "virtual terminals" (aka not in a terminalwindow on X, not over SSH), I think the severity is much lower than theTIOCSTI issue.


Agreed.

I've created a patch for the Linux kernel very similar to the patchthat allows disabling TIOCSTI.


I don't think that's gonna fly, because...

+         The TIOCLINUX ioctl allows implementing copy-and-paste and
+         mouse operations in virtual terminals, used by tools like gpm.

TIOCLINUX implements also functionality unrelated to copying andpasting. See the ioctl_console(2) man page:

https://manpages.debian.org/unstable/manpages-dev/ioctl_console.2.en.html#TIOCLINUX

For example, apparently some of this stuff is used by systemd:

    $ git grep -wB5 TIOCLINUX
    src/basic/terminal-util.c-                int tiocl[2] = {
    src/basic/terminal-util.c-                        TIOCL_GETKMSGREDIRECT,
    src/basic/terminal-util.c-                        0
    src/basic/terminal-util.c-                };
    src/basic/terminal-util.c-
    src/basic/terminal-util.c:                if (ioctl(fd, TIOCLINUX, tiocl) < 0)
    --
    src/vconsole/vconsole-setup.c-static int verify_vc_device(int fd) {
    src/vconsole/vconsole-setup.c-        unsigned char data[] = {
    src/vconsole/vconsole-setup.c-                TIOCL_GETFGCONSOLE,
    src/vconsole/vconsole-setup.c-        };
    src/vconsole/vconsole-setup.c-
    src/vconsole/vconsole-setup.c:        return RET_NERRNO(ioctl(fd, TIOCLINUX, data));

--
Jakub Wilk

Current thread:

TTY pushback vulnerabilities / TIOCSTI Hanno Böck (Mar 14)
- Re: TTY pushback vulnerabilities / TIOCSTI Jakub Wilk (Mar 14)
  - Re: TTY pushback vulnerabilities / TIOCSTI Hanno Böck (Mar 17)
    - Re: TTY pushback vulnerabilities / TIOCSTI Jakub Wilk (Mar 17)
    - Re: TTY pushback vulnerabilities / TIOCSTI Hanno Böck (Mar 19)
    - Re: TTY pushback vulnerabilities / TIOCSTI Jakub Wilk (Mar 21)
    - Re: TTY pushback vulnerabilities / TIOCSTI Hanno Böck (Mar 24)
    - Re: TTY pushback vulnerabilities / TIOCSTI Lyndon Nerenberg (VE7TFX/VE6BBM) (Mar 18)
    - Re: TTY pushback vulnerabilities / TIOCSTI Christos Zoulas (Mar 18)
    - Re: TTY pushback vulnerabilities / TIOCSTI Eric Ashley (Mar 18)
- Re: TTY pushback vulnerabilities / TIOCSTI Peter Bex (Mar 14)
  - Re: TTY pushback vulnerabilities / TIOCSTI Hanno Böck (Mar 14)
    - Re: TTY pushback vulnerabilities / TIOCSTI Peter Bex (Mar 14)
- Re: TTY pushback vulnerabilities / TIOCSTI Shawn Webb (Mar 14)

(Thread continues...)