diff options
| author | Simon McVittie <smcv@debian.org> | 2023-03-15 09:58:56 +0000 |
|---|---|---|
| committer | Simon McVittie <smcv@collabora.com> | 2023-03-16 09:54:14 +0000 |
| commit | 8e63de9a7d3124f91140fc74f8ca9ed73ed53be9 (patch) | |
| tree | 0a26a9eed31202b6d6541c84471ba50dc9d308f4 | |
| parent | 409e34187de2b2b2c4ef34c79f417be698830f6c (diff) | |
| download | flatpak-8e63de9a7d3124f91140fc74f8ca9ed73ed53be9.tar.gz | |
run: Prevent TIOCLINUX ioctl, the same as TIOCSTI
The TIOCLINUX ioctl is only available on Linux virtual consoles such as
/dev/tty1. It has several Linux-specific functions, one of which is a
copy/paste operation which can be used for attacks similar to TIOCSTI.
This vulnerability does not affect typical graphical terminal emulators
such as xterm, gnome-terminal and Konsole, and Flatpak is primarily
designed to be run from a Wayland or X11 graphical environment, so this
is relatively unlikely to be a practical problem.
CVE-2023-28100, GHSA-7qpw-3vjv-xrqp
Resolves: https://github.com/flatpak/flatpak/security/advisories/GHSA-7qpw-3vjv-xrqp
Signed-off-by: Simon McVittie <smcv@debian.org>
| -rw-r--r-- | common/flatpak-run.c | 4 | ||||
| -rwxr-xr-x | tests/test-seccomp.sh | 8 | ||||
| -rw-r--r-- | tests/try-syscall.c | 9 |
3 files changed, 20 insertions, 1 deletions
diff --git a/common/flatpak-run.c b/common/flatpak-run.c index 9a5195ab..f871fb04 100644 --- a/common/flatpak-run.c +++ b/common/flatpak-run.c @@ -3220,6 +3220,10 @@ setup_seccomp (FlatpakBwrap *bwrap, /* Don't allow faking input to the controlling tty (CVE-2017-5226) */ {SCMP_SYS (ioctl), EPERM, &SCMP_A1 (SCMP_CMP_MASKED_EQ, 0xFFFFFFFFu, (int) TIOCSTI)}, + /* In the unlikely event that the controlling tty is a Linux virtual + * console (/dev/tty2 or similar), copy/paste operations have an effect + * similar to TIOCSTI (CVE-2023-28100) */ + {SCMP_SYS (ioctl), EPERM, &SCMP_A1 (SCMP_CMP_MASKED_EQ, 0xFFFFFFFFu, (int) TIOCLINUX)}, /* seccomp can't look into clone3()'s struct clone_args to check whether * the flags are OK, so we have no choice but to block clone3(). diff --git a/tests/test-seccomp.sh b/tests/test-seccomp.sh index 72b0dad2..be6fb085 100755 --- a/tests/test-seccomp.sh +++ b/tests/test-seccomp.sh @@ -8,7 +8,7 @@ set -euo pipefail skip_without_bwrap -echo "1..16" +echo "1..18" setup_repo install_repo @@ -80,6 +80,12 @@ for extra_argv in "" "--allow=multiarch"; do ok "ioctl TIOCSTI with high bits blocked (CVE-2019-10063)" fi + echo "# ioctl TIOCLINUX (CVE-2023-28100)" + e=0 + try_syscall "ioctl TIOCLINUX" || e="$?" + assert_streq "$e" "$EPERM" + ok "ioctl TIOCLINUX blocked" + echo "# listen (benign)" e=0 try_syscall "listen" || e="$?" diff --git a/tests/try-syscall.c b/tests/try-syscall.c index 221fe324..1a12ddee 100644 --- a/tests/try-syscall.c +++ b/tests/try-syscall.c @@ -151,6 +151,15 @@ main (int argc, char **argv) } } #endif + else if (strcmp (arg, "ioctl TIOCLINUX") == 0) + { + /* If not blocked by seccomp, this will fail with EBADF */ + if (ioctl (-1, TIOCLINUX, WRONG_POINTER) != 0) + { + errsv = errno; + perror (arg); + } + } else if (strcmp (arg, "listen") == 0) { /* If not blocked by seccomp, this will fail with EBADF */ |