oss-sec mailing list archives

Re: TIOCSTI not going away

From: Solar Designer <solar () openwall com>
Date: Thu, 29 Jun 2017 16:23:46 +0200

On Sat, Jun 03, 2017 at 06:58:13PM +0200, Solar Designer wrote:

On LKML, CC'ed to the kernel-hardening mailing list, Matt Brown has been
pushing for the upstream Linux kernel to introduce an option (likely to
be disabled by default) that would block the TIOCSTI ioctl.  Alan Cox
repeatedly NAK'ed this:

http://www.openwall.com/lists/kernel-hardening/2017/05/

Sorry there's no one specific message/thread to link to - there were
multiple patch revisions, and multiple NAKs with different wording.

Alan's reasoning is that userspace apps like this have to be allocating
a new pty anyway, and the kernel change wouldn't help much since TIOCSTI
isn't the only way to cause trouble (although per my reading of the
examples given, other ways/troubles are either not exactly as bad or not
exactly as generic).


While TIOCSTI is apparently not going away on Linux, it is on OpenBSD,
and here's some analysis of the apparently almost non-existent impact
this will have on Emacs (which was one of the primary examples cited for
keeping TIOCSTI on Linux):

https://marc.info/?l=openbsd-tech&m=149868123704451

Theo de Raadt wrote:

"There are indications that a few ports use TIOCSTI.  The list is
pretty small, and I have not reviewed whether the use of TIOCSTI
actually occurs during runtime on OpenBSD:

    x11vnc tcsh ucblogo brltty epic4 trn libsanitizer
    jvim2.0r+onew2.2.10-wnn4 emacs qemu ngspice

I hope those programs get fixed quickly"

Jeremie Courreges-Anglas wrote:

"TIOCSTI is only used once in editors/emacs.  The return value of
ioctl(2) isn't checked.  This is in the "suspend-emacs" function, ie
what's called when pressing ^Z, can take an optional string to be sent
to the parent process.

I could spot only one place in emacs-25.2 where this optional string is
used, lisp/obsolete/ledit.el, an obsolete mode for Franz Lisp"

Maybe Christos could comment on tcsh?

Whatever happens (or doesn't happen) for upstream Linux, there will be
system(s) dropping TIOCSTI or at least introducing a way to disable it,
so reducing userspace programs' dependencies on TIOCSTI makes sense.

Alexander

Current thread:

TIOCSTI not going away Solar Designer (Jun 03)
- Re: TIOCSTI not going away Karel Zak (Jun 03)
- Re: TIOCSTI not going away Lizzie Dixon (Jun 03)
- Re: TIOCSTI not going away Solar Designer (Jun 29)
  - Re: TIOCSTI not going away Nick Kralevich (Jun 29)
  - Re: TIOCSTI not going away Todd C. Miller (Jun 29)
  - Re: TIOCSTI not going away Christos Zoulas (Jun 29)