Re: [PATCH] tty: Prevent untrappable signals from malicious program

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 01/19/2015 12:57 PM, Howard Chu wrote:
> Peter Hurley wrote:
>> Commit 26df6d13406d1a5 ("tty: Add EXTPROC support for LINEMODE")
>> allows a process which has opened a pty master to send _any_ signal
>> to the process group of the pty slave. Although potentially
>> exploitable by a malicious program running a setuid program on
>> a pty slave, it's unknown if this exploit currently exists.
>>
>> Limit to signals actually used.
>>
>> Cc: Theodore Ts'o <tytso@xxxxxxx>
>> Cc: Howard Chu <hyc@xxxxxxxxx>
>> Cc: One Thousand Gnomes <gnomes@xxxxxxxxxxxxxxxxxxx>
>> Cc: Jiri Slaby <jslaby@xxxxxxx>
>> Cc: <stable@xxxxxxxxxxxxxxx> # 2.6.36+
>> Signed-off-by: Peter Hurley <peter@xxxxxxxxxxxxxxxxxx>
>> ---
>>   drivers/tty/pty.c | 3 +++
>>   1 file changed, 3 insertions(+)
>>
>> diff --git a/drivers/tty/pty.c b/drivers/tty/pty.c
>> index a9d256d..46366f0 100644
>> --- a/drivers/tty/pty.c
>> +++ b/drivers/tty/pty.c
>> @@ -210,6 +210,9 @@ static int pty_signal(struct tty_struct *tty, int sig)
>>   {
>>       struct pid *pgrp;
>>
>> +    if (sig != SIGINT || sig != SIGQUIT || sig != SIGTSTP)
>> +        return -EINVAL;
> 
> This patch is clearly wrong, should be && not || in the test.

Hahaha, whoops.

> 
>> +
>>       if (tty->link) {
>>           pgrp = tty_get_pgrp(tty->link);
>>           if (pgrp)
>>
> 
> 

--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]