oss-sec mailing list archives

Re: TTY pushback vulnerabilities / TIOCSTI

From: Hanno Böck <hanno () hboeck de>
Date: Fri, 24 Mar 2023 19:56:50 +0100

Here's a proposed patch to restrict access to the dangerous
functionality. Waiting a few days for feedback here and will then try
to send it to the appropriate kernel lists.

------------------

Restrict access to TIOCLINUX selection functions

These functions can be used for privilege escalation when code is
executed with tools like su/sudo.

Signed-off-by: Hanno Böck <hanno () hboeck de>
---
 drivers/tty/vt/vt.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c
index 3c2ea9c09..367117310 100644
--- a/drivers/tty/vt/vt.c
+++ b/drivers/tty/vt/vt.c
@@ -3146,10 +3146,14 @@ int tioclinux(struct tty_struct *tty, unsigned
long arg) switch (type)
        {
                case TIOCL_SETSEL:
+                       if (!capable(CAP_SYS_ADMIN))
+                               return -EPERM;
                        ret = set_selection_user((struct
tiocl_selection __user *)(p+1), tty);
                        break;
                case TIOCL_PASTESEL:
+                       if (!capable(CAP_SYS_ADMIN))
+                               return -EPERM;
                        ret = paste_selection(tty);
                        break;
                case TIOCL_UNBLANKSCREEN:
@@ -3158,6 +3162,8 @@ int tioclinux(struct tty_struct *tty, unsigned
long arg) console_unlock();
                        break;
                case TIOCL_SELLOADLUT:
+                       if (!capable(CAP_SYS_ADMIN))
+                               return -EPERM;
                        console_lock();
                        ret = sel_loadlut(p);
                        console_unlock();
-- 
2.40.0



-- 
Hanno Böck
https://hboeck.de/

Current thread:

TTY pushback vulnerabilities / TIOCSTI Hanno Böck (Mar 14)
- Re: TTY pushback vulnerabilities / TIOCSTI Jakub Wilk (Mar 14)
  - Re: TTY pushback vulnerabilities / TIOCSTI Hanno Böck (Mar 17)
    - Re: TTY pushback vulnerabilities / TIOCSTI Jakub Wilk (Mar 17)
    - Re: TTY pushback vulnerabilities / TIOCSTI Hanno Böck (Mar 19)
    - Re: TTY pushback vulnerabilities / TIOCSTI Jakub Wilk (Mar 21)
    - Re: TTY pushback vulnerabilities / TIOCSTI Hanno Böck (Mar 24)
    - Re: TTY pushback vulnerabilities / TIOCSTI Lyndon Nerenberg (VE7TFX/VE6BBM) (Mar 18)
    - Re: TTY pushback vulnerabilities / TIOCSTI Christos Zoulas (Mar 18)
    - Re: TTY pushback vulnerabilities / TIOCSTI Eric Ashley (Mar 18)
- Re: TTY pushback vulnerabilities / TIOCSTI Peter Bex (Mar 14)
  - Re: TTY pushback vulnerabilities / TIOCSTI Hanno Böck (Mar 14)
    - Re: TTY pushback vulnerabilities / TIOCSTI Peter Bex (Mar 14)
- Re: TTY pushback vulnerabilities / TIOCSTI Shawn Webb (Mar 14)
  - Re: TTY pushback vulnerabilities / TIOCSTI Fabian Keil (Mar 15)
    - Re: TTY pushback vulnerabilities / TIOCSTI Dave Horsfall (Mar 15)
    - Re: TTY pushback vulnerabilities / TIOCSTI Casper Dik (Mar 15)

(Thread continues...)