On 2024-12-03 06:07, Günther Noack wrote:
On Tue, Dec 03, 2024 at 02:53:27PM +0100, Günther Noack wrote:
Hanno, you are the original author of this patch and you have done a
more
detailed analysis on the TIOCLINUX problems than me -- do you agree
that this
weakened check would still be sufficient to protect against the
TIOCLINUX
problems? (Or in other words, if we permitted TIOCL_SELPOINTER,
TIOCL_SELCLEAR
and TIOCL_SELMOUSEREPORT for non-CAP_SYS_ADMIN processes, would you
still see a
way to misuse that functionality?)
P.S.: For reference, some more detailed reasoning why I think that that
proposal
would be OK:
It would protect at least against the "minittyjack.c" example that was
attached
to https://www.openwall.com/lists/oss-security/2023/03/14/3
The trick used there was:
* ioctl() with TIOCLINUX with TIOCL_SETSEL with TIOCL_SELLINE,
to make a selection (a.k.a. changing the contents of vc_sel)
* ioctl() with TIOCLINUX and TIOCL_PASTESEL to paste the selection.
(The implementation for that is in selection.c/paste_selection()
and is just copying from vc_sel.)
So as long as we are protecting the change to vc_sel, that should be OK
in my
mind.
It's been silent for about a week and a half here. How long do we wait
before creating a patch here? This is a regression so I'm assuming we
shouldn't wait too long.
I'm happy to create the patch if that's helpful. I'd need help with
process for submitting it for inclusion in the latest kernel as well as
backports to earlier impacted versions. I've never submitted code to
Linux before.
-- MJF
