TIOCLINUX can be used for privilege escalation on virtual terminals when
code is executed via tools like su/sudo and sandboxing tools.
By abusing the selection features, a lower-privileged application can
write content to the console, select and copy/paste that content and
thereby executing code on the privileged account. See also the poc
here:
https://www.openwall.com/lists/oss-security/2023/03/14/3
Selection is usually used by tools like gpm that provide mouse features
on the virtual console. gpm already runs as root (due to earlier
changes that restrict access to a user on the current TTY), therefore
it will still work with this change.
With this change, the following TIOCLINUX subcommands require
CAP_SYS_ADMIN:
* TIOCL_SETSEL - setting the selected region on the terminal
* TIOCL_PASTESEL - pasting the contents of the selected region into
the input buffer
* TIOCL_SELLOADLUT - changing word-by-word selection behaviour
The security problem mitigated is similar to the security risks caused
by TIOCSTI, which, since kernel 6.2, can be disabled with
CONFIG_LEGACY_TIOCSTI=n.
Signed-off-by: Hanno Böck <hanno@hboeck.de>
Signed-off-by: Günther Noack <gnoack@google.com>
Tested-by: Günther Noack <gnoack@google.com>
Link: https://lore.kernel.org/r/20230828164117.3608812-2-gnoack@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
switch (type) {
case TIOCL_SETSEL:
+ if (!capable(CAP_SYS_ADMIN))
+ return -EPERM;
return set_selection_user((struct tiocl_selection
__user *)(p+1), tty);
case TIOCL_PASTESEL:
+ if (!capable(CAP_SYS_ADMIN))
+ return -EPERM;
return paste_selection(tty);
case TIOCL_UNBLANKSCREEN:
console_lock();
console_unlock();
break;
case TIOCL_SELLOADLUT:
+ if (!capable(CAP_SYS_ADMIN))
+ return -EPERM;
console_lock();
ret = sel_loadlut(p);
console_unlock();
projects / thirdparty / linux.git / commitdiff
