Skip to content

Commit

Permalink
run: Prevent TIOCLINUX ioctl, the same as TIOCSTI
Browse files Browse the repository at this point in the history
The TIOCLINUX ioctl is only available on Linux virtual consoles such as
/dev/tty1. It has several Linux-specific functions, one of which is a
copy/paste operation which can be used for attacks similar to TIOCSTI.

This vulnerability does not affect typical graphical terminal emulators
such as xterm, gnome-terminal and Konsole, and Flatpak is primarily
designed to be run from a Wayland or X11 graphical environment, so this
is relatively unlikely to be a practical problem.

CVE-2023-28100, GHSA-7qpw-3vjv-xrqp

Resolves: GHSA-7qpw-3vjv-xrqp
Signed-off-by: Simon McVittie <smcv@debian.org>
  • Loading branch information
smcv committed Mar 16, 2023
1 parent 409e341 commit 8e63de9
Show file tree
Hide file tree
Showing 3 changed files with 20 additions and 1 deletion.
4 changes: 4 additions & 0 deletions common/flatpak-run.c
Original file line number Diff line number Diff line change
Expand Up @@ -3220,6 +3220,10 @@ setup_seccomp (FlatpakBwrap *bwrap,

/* Don't allow faking input to the controlling tty (CVE-2017-5226) */
{SCMP_SYS (ioctl), EPERM, &SCMP_A1 (SCMP_CMP_MASKED_EQ, 0xFFFFFFFFu, (int) TIOCSTI)},
/* In the unlikely event that the controlling tty is a Linux virtual
* console (/dev/tty2 or similar), copy/paste operations have an effect
* similar to TIOCSTI (CVE-2023-28100) */
{SCMP_SYS (ioctl), EPERM, &SCMP_A1 (SCMP_CMP_MASKED_EQ, 0xFFFFFFFFu, (int) TIOCLINUX)},

/* seccomp can't look into clone3()'s struct clone_args to check whether
* the flags are OK, so we have no choice but to block clone3().
Expand Down
8 changes: 7 additions & 1 deletion tests/test-seccomp.sh
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ set -euo pipefail

skip_without_bwrap

echo "1..16"
echo "1..18"

setup_repo
install_repo
Expand Down Expand Up @@ -80,6 +80,12 @@ for extra_argv in "" "--allow=multiarch"; do
ok "ioctl TIOCSTI with high bits blocked (CVE-2019-10063)"
fi

echo "# ioctl TIOCLINUX (CVE-2023-28100)"
e=0
try_syscall "ioctl TIOCLINUX" || e="$?"
assert_streq "$e" "$EPERM"
ok "ioctl TIOCLINUX blocked"

echo "# listen (benign)"
e=0
try_syscall "listen" || e="$?"
Expand Down
9 changes: 9 additions & 0 deletions tests/try-syscall.c
Original file line number Diff line number Diff line change
Expand Up @@ -151,6 +151,15 @@ main (int argc, char **argv)
}
}
#endif
else if (strcmp (arg, "ioctl TIOCLINUX") == 0)
{
/* If not blocked by seccomp, this will fail with EBADF */
if (ioctl (-1, TIOCLINUX, WRONG_POINTER) != 0)
{
errsv = errno;
perror (arg);
}
}
else if (strcmp (arg, "listen") == 0)
{
/* If not blocked by seccomp, this will fail with EBADF */
Expand Down

0 comments on commit 8e63de9

Please sign in to comment.