[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] TTY pushback vulnerabilities / TIOCSTI
From:       Hanno =?iso-8859-1?q?B=F6ck?= <hanno () hboeck ! de>
Date:       2023-03-24 18:56:50
Message-ID: 20230324195650.6785dd20.hanno () hboeck ! de
[Download RAW message or body]

Here's a proposed patch to restrict access to the dangerous
functionality. Waiting a few days for feedback here and will then try
to send it to the appropriate kernel lists.

------------------

Restrict access to TIOCLINUX selection functions

These functions can be used for privilege escalation when code is
executed with tools like su/sudo.

Signed-off-by: Hanno Böck <hanno@hboeck.de>
---
 drivers/tty/vt/vt.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c
index 3c2ea9c09..367117310 100644
--- a/drivers/tty/vt/vt.c
+++ b/drivers/tty/vt/vt.c
@@ -3146,10 +3146,14 @@ int tioclinux(struct tty_struct *tty, unsigned
long arg) switch (type)
 	{
 		case TIOCL_SETSEL:
+			if (!capable(CAP_SYS_ADMIN))
+				return -EPERM;
 			ret = set_selection_user((struct
tiocl_selection __user *)(p+1), tty);
 			break;
 		case TIOCL_PASTESEL:
+			if (!capable(CAP_SYS_ADMIN))
+				return -EPERM;
 			ret = paste_selection(tty);
 			break;
 		case TIOCL_UNBLANKSCREEN:
@@ -3158,6 +3162,8 @@ int tioclinux(struct tty_struct *tty, unsigned
long arg) console_unlock();
 			break;
 		case TIOCL_SELLOADLUT:
+			if (!capable(CAP_SYS_ADMIN))
+				return -EPERM;
 			console_lock();
 			ret = sel_loadlut(p);
 			console_unlock();
-- 
2.40.0



-- 
Hanno Böck
https://hboeck.de/
[prev in list] [next in list] [prev in thread] [next in thread]