By default forbid terminal control sequences on xl console output

Handling full terminal, including control sequences, should be sandboxed
in DispVM. In dom0 allow only minimal console.

QubesOS/qubes-issues#4544

(cherry picked from commit de4363b)

patch-tools-xenconsole-replace-ESC-char-on-xenconsole-outp.patch

@@ -0,0 +1,156 @@
+From d9fe41c13277c45c721287c7786c47dd5579f9e1 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
+ <marmarek@invisiblethingslab.com>
+Date: Sun, 10 Feb 2019 02:11:50 +0100
+Subject: [PATCH] tools/xenconsole: replace ESC char on xenconsole output by
+ default
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+Organization: Invisible Things Lab
+Cc: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
+
+And add --no-replace-escape option to disable it.
+This is done to prevent domU from exploiting hypothetical bug in
+terminal emulator.
+
+Add an -r/--no-replace-escape option to xenconsole client to disable
+replacing ESC. Carry it from xl command through env variable.
+
+Signed-off-by: Marek Marczykowski-Górecki <marmarek@invisiblethingslab.com>
+---
+ tools/console/client/main.c | 21 ++++++++++++++++++---
+ tools/xl/xl_cmdtable.c      |  3 ++-
+ tools/xl/xl_console.c       |  8 +++++++-
+ 3 files changed, 27 insertions(+), 5 deletions(-)
+
+diff --git a/tools/console/client/main.c b/tools/console/client/main.c
+index f92ad3d8cf..bdfc8aef52 100644
+--- a/tools/console/client/main.c
++++ b/tools/console/client/main.c
+@@ -78,6 +78,7 @@ static void usage(const char *program) {
+ 	       "  -n, --num N      use console number N\n"
+ 	       "  --type TYPE      console type. must be 'pv', 'serial' or 'vuart'\n"
+ 	       "  --start-notify-fd N file descriptor used to notify parent\n"
++	       "  -r, --no-replace-escape Do not replace ESC character with dot\n"
+ 	       , program);
+ }
+
+@@ -175,7 +176,7 @@ static void restore_term(int fd, struct termios *old)
+ }
+
+ static int console_loop(int fd, struct xs_handle *xs, char *pty_path,
+-		        bool interactive)
++		        bool interactive, bool replace_escape)
+ {
+ 	int ret, xs_fd = xs_fileno(xs), max_fd = -1;
+
+@@ -249,6 +250,12 @@ static int console_loop(int fd, struct xs_handle *xs, char *pty_path,
+ 				fd = -1;
+ 				continue;
+ 			}
++			if (replace_escape) {
++				int i;
++				for (i = 0; i < len; i++)
++					if (msg[i] == '\033')
++						msg[i] = '.';
++			}
+
+ 			if (!write_sync(STDOUT_FILENO, msg, len)) {
+ 				perror("write() failed");
+@@ -325,7 +332,7 @@ int main(int argc, char **argv)
+ {
+ 	struct termios attr;
+ 	int domid;
+-	char *sopt = "hn:";
++	char *sopt = "hn:r";
+ 	int ch;
+ 	unsigned int num = 0;
+ 	int opt_ind=0;
+@@ -336,6 +343,7 @@ int main(int argc, char **argv)
+ 		{ "help",    0, 0, 'h' },
+ 		{ "start-notify-fd", 1, 0, 's' },
+ 		{ "interactive", 0, 0, 'i' },
++		{ "no-replace-escape", 0, 0, 'r' },
+ 		{ 0 },
+
+ 	};
+@@ -345,8 +353,12 @@ int main(int argc, char **argv)
+ 	char *end;
+ 	console_type type = CONSOLE_INVAL;
+ 	bool interactive = 0;
++	bool replace_escape = 1;
+ 	char *console_names = "serial, pv, vuart";
+
++	if (getenv("XEN_CONSOLE_REPLACE_ESCAPE"))
++		replace_escape = atoi(getenv("XEN_CONSOLE_REPLACE_ESCAPE"));
++
+ 	while((ch = getopt_long(argc, argv, sopt, lopt, &opt_ind)) != -1) {
+ 		switch(ch) {
+ 		case 'h':
+@@ -376,6 +388,9 @@ int main(int argc, char **argv)
+ 		case 'i':
+ 			interactive = 1;
+ 			break;
++		case 'r':
++			replace_escape = 0;
++			break;
+ 		default:
+ 			fprintf(stderr, "Invalid argument\n");
+ 			fprintf(stderr, "Try `%s --help' for more information.\n", 
+@@ -495,7 +510,7 @@ int main(int argc, char **argv)
+ 		close(start_notify_fd);
+ 	}
+
+-	console_loop(spty, xs, path, interactive);
++	console_loop(spty, xs, path, interactive, replace_escape);
+
+ 	free(path);
+ 	free(dom_path);
+diff --git a/tools/xl/xl_cmdtable.c b/tools/xl/xl_cmdtable.c
+index 89716badcb..f9f56e038f 100644
+--- a/tools/xl/xl_cmdtable.c
++++ b/tools/xl/xl_cmdtable.c
+@@ -136,7 +136,8 @@ struct cmd_spec cmd_table[] = {
+       "Attach to domain's console",
+       "[options] <Domain>\n"
+       "-t <type>       console type, pv , serial or vuart\n"
+-      "-n <number>     console number"
++      "-n <number>     console number\n"
++      "-r              do not replace ESC character with dot"
+     },
+     { "vncviewer",
+       &main_vncviewer, 0, 0,
+diff --git a/tools/xl/xl_console.c b/tools/xl/xl_console.c
+index 4e65d73867..d9d78ed079 100644
+--- a/tools/xl/xl_console.c
++++ b/tools/xl/xl_console.c
+@@ -27,9 +27,10 @@ int main_console(int argc, char **argv)
+     uint32_t domid;
+     int opt = 0, num = 0;
+     libxl_console_type type = 0;
++    bool replace_escape = true;
+     char *console_names = "pv, serial, vuart";
+
+-    SWITCH_FOREACH_OPT(opt, "n:t:", NULL, "console", 1) {
++    SWITCH_FOREACH_OPT(opt, "n:t:r", NULL, "console", 1) {
+     case 't':
+         if (!strcmp(optarg, "pv"))
+             type = LIBXL_CONSOLE_TYPE_PV;
+@@ -45,8 +46,13 @@ int main_console(int argc, char **argv)
+     case 'n':
+         num = atoi(optarg);
+         break;
++    case 'r':
++        replace_escape = false;
++        break;
+     }
+
++    setenv("XEN_CONSOLE_REPLACE_ESCAPE", replace_escape ? "1" : "0", 1);
++
+     domid = find_domain(argv[optind]);
+     if (!type)
+         libxl_primary_console_exec(ctx, domid, -1);
+-- 
+2.17.2
+

xen.spec.in

@@ -195,6 +195,7 @@ Patch1012: patch-tools-hotplug-drop-perl-usage-in-locking-mechanism.patch
 Patch1013: patch-stubdom-linux-libxl-use-EHCI-for-providing-tablet-USB-device.patch
 Patch1014: patch-allow-kernelopts-stubdom.patch
 Patch1015: patch-libxl-readonly-disk-scsi.patch
+Patch1016: patch-tools-xenconsole-replace-ESC-char-on-xenconsole-outp.patch
 
 Patch1020: patch-stubdom-linux-config-qubes-gui.patch
 Patch1021: patch-stubdom-linux-libxl-do-not-force-qdisk-backend-for-cdrom.patch