lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Sun, 19 Feb 2017 16:35:12 +0100
From:   Florian Weimer <fw@...eb.enyo.de>
To:     Greg KH <gregkh@...uxfoundation.org>
Cc:     linux-api@...r.kernel.org,
        Christian Brauner <christian.brauner@...onical.com>,
        linux-kernel@...r.kernel.org, jslaby@...e.com
Subject: Re: Hard-coding PTY device node numbers in userspace

* Greg KH:

> On Fri, Feb 17, 2017 at 12:02:52PM +0100, Florian Weimer wrote:
>> We want to reject PTY devices from other namespaces as valid input to
>> the ttyname and ttyname_r functions, while still providing a hint to
>> callers that the device is, in fact, a PTY.  Christian Brauner wrote a
>> glibc patch for this:
>> 
>>   <https://sourceware.org/ml/libc-alpha/2017-01/msg00531.html>
>> 
>> It hard-codes the major PTY device number range.  Is this feasible?
>> Is it part of the stable userspace ABI for the TTY subsystem?
>
> What major numbers are you using in the patch '2' and '3'?

I think there is just one patch, and the check looks like this:

  static inline int
  is_pty (struct stat64 *sb)
  {
    int m = major (sb->st_rdev);
    return (136 <= m && m <= 143);
  }

> And yes,
> major numbers are static and you should be fine to rely on them.  But
> can't you test that the device is a pty to verify it?

It's not entirely clear what exactly a PTY descriptor should be for
ttyname.  Going forward, we only want to treat descriptors for PTY
devices which can be accessed using /dev/pts paths in the current
namespace as PTYs.  Christian's patch adds a separate error code for
the case where the descriptor is a PTY, but it comes from a different
namespace.

I'm concerned that some software out there assumes that if standard
input is a PTY according to ttyname, it is safe to chown it.  There
have been security issues related to that a long time ago on some UNIX
systems, and I want us to be conservative here.

Powered by blists - more mailing lists