git: 4d354159d150 - releng/14.0 - jail: Fix information leak.
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 14 Feb 2024 06:05:46 UTC
The branch releng/14.0 has been updated by gordon:
URL: https://cgit.FreeBSD.org/src/commit/?id=4d354159d150789716d529cf5201c6e1e9d28106
commit 4d354159d150789716d529cf5201c6e1e9d28106
Author: Pawel Jakub Dawidek <pjd@FreeBSD.org>
AuthorDate: 2024-01-17 17:43:55 +0000
Commit: Gordon Tetlow <gordon@FreeBSD.org>
CommitDate: 2024-02-14 05:53:05 +0000
jail: Fix information leak.
There is a lack of proper visibility checking in kern.ttys sysctl handler
which leads to information leak about processes outside the current jail.
This can be demonstrated with pstat -t: when called from within a jail,
it will output all terminal devices including process groups and
session leader process IDs:
jail# pstat -t | grep pts/ | head
LINE INQ CAN LIN LOW OUTQ USE LOW COL SESS PGID STATE
pts/2 1920 0 0 192 1984 0 199 0 4132 27245 Oi
pts/3 1920 0 0 192 1984 0 199 16 24890 33627 Oi
pts/5 0 0 0 0 0 0 0 25 17758 0 G
pts/16 0 0 0 0 0 0 0 0 52495 0 G
pts/15 0 0 0 0 0 0 0 25 53446 0 G
pts/17 0 0 0 0 0 0 0 6702 33230 0 G
pts/19 0 0 0 0 0 0 0 14 1116 0 G
pts/0 0 0 0 0 0 0 0 0 2241 0 G
pts/23 0 0 0 0 0 0 0 20 15639 0 G
pts/6 0 0 0 0 0 0 0 0 44062 93792 G
jail# pstat -t | grep pts/ | wc -l
85
Devfs does the filtering correctly and we get only one entry:
jail# ls /dev/pts/
2
Approved by: mzaborski, secteam
MFC after: 1 week
Sponsored by: Fudo Security
Approved by: so
Security: FreeBSD-SA-24:02.tty
Security: CVE-2024-25941
(cherry picked from commit f1d0a0cbecf2c688061f35adea85bfb29c9ec893)
(cherry picked from commit a376108029a20f4ce51476d98f2483a7008ce7b5)
(cherry picked from commit 41ac0b4ce00bae061164384f23356a4df6e0e695)
(cherry picked from commit 215bb03edc541634ec3fd9b01b55d7396b14d9cf)
---
sys/kern/tty.c | 26 ++++++++++++++++++++++----
1 file changed, 22 insertions(+), 4 deletions(-)
diff --git a/sys/kern/tty.c b/sys/kern/tty.c
index 620233947410..673904570b86 100644
--- a/sys/kern/tty.c
+++ b/sys/kern/tty.c
@@ -44,6 +44,7 @@
#ifdef COMPAT_43TTY
#include <sys/ioctl_compat.h>
#endif /* COMPAT_43TTY */
+#include <sys/jail.h>
#include <sys/kernel.h>
#include <sys/limits.h>
#include <sys/malloc.h>
@@ -1307,9 +1308,11 @@ static int
sysctl_kern_ttys(SYSCTL_HANDLER_ARGS)
{
unsigned long lsize;
+ struct thread *td = curthread;
struct xtty *xtlist, *xt;
struct tty *tp;
- int error;
+ struct proc *p;
+ int cansee, error;
sx_slock(&tty_list_sx);
lsize = tty_list_count * sizeof(struct xtty);
@@ -1322,13 +1325,28 @@ sysctl_kern_ttys(SYSCTL_HANDLER_ARGS)
TAILQ_FOREACH(tp, &tty_list, t_list) {
tty_lock(tp);
- tty_to_xtty(tp, xt);
+ if (tp->t_session != NULL) {
+ p = tp->t_session->s_leader;
+ PROC_LOCK(p);
+ cansee = (p_cansee(td, p) == 0);
+ PROC_UNLOCK(p);
+ } else {
+ cansee = !jailed(td->td_ucred);
+ }
+ if (cansee) {
+ tty_to_xtty(tp, xt);
+ xt++;
+ }
tty_unlock(tp);
- xt++;
}
sx_sunlock(&tty_list_sx);
- error = SYSCTL_OUT(req, xtlist, lsize);
+ lsize = (xt - xtlist) * sizeof(struct xtty);
+ if (lsize > 0) {
+ error = SYSCTL_OUT(req, xtlist, lsize);
+ } else {
+ error = 0;
+ }
free(xtlist, M_TTY);
return (error);
}