From nobody Wed Feb 14 06:05:46 2024 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4TZSNp2ljmz5B4yk; Wed, 14 Feb 2024 06:05:46 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4TZSNp1sLyz4Rwv; Wed, 14 Feb 2024 06:05:46 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1707890746; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=iPV66TQNVU7Muzl38XgFpa+hWEJhhkHUT+FkfQgyuOQ=; b=kq1T+ZUBNKVbLmApqRNCC4cBfNemdAdyi71PsZSXSjIZuBV7HQfE2dF5EibXisP96qwMfb 1jVBuv0Ce8dok+Istuh/fUTCY/ZSlDqwQE1qV4FPBptAu7TsVd0lomL/ccZCGyk2MWV7ZV YryyAYYs6WDJHPa1x1faQbJ+ppHHw52zir7l+zPNqBYQaqhx9GulS+gZvQML/HiVmt20fL ihJnpHS/zdbW0AIBEOWyv08QW2tpjwFV+Frl0u5BhbwB7r9bbsLLzKYo3dVSrwYSbjpN5F my2chWFmT3NmgTESE4S2DS2auaHsNhoRZeBYucx3DAs+gJdMRiP+Y98BA+AOGg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1707890746; a=rsa-sha256; cv=none; b=kjZq2dl0Eyw1MGVdhphWG2u7QX+kaoRb6M5mQmwcJlR+oYbI6yh5faj/ScatFphHnj5nlE +unv0DHGWAaAKlGmrJcS5x7kR+N1aoqW86zNVTJzOpQ68PDUIbxmdSs2xs4AzuT9tm8Lq9 g5fHbBlWVWRqHzo7nDzUhSOwC5H+DNwCfHV/bqUgxRlPuj+FpmWbe0bHb5gtm1xV3XWHI5 LpRdQuuTEBJPcEbdSl9u6sUN+I8FBb6iv9nuzCH7juaqEPBOyS5VZyFAGJlunLPdGHqmow 4Ttfj8u+ZqGhmK/lftxW0XLwJfZ68cGM0Bm0l/6IeNXxLeZf2LvP1HaHcWL2Og== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1707890746; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=iPV66TQNVU7Muzl38XgFpa+hWEJhhkHUT+FkfQgyuOQ=; b=K+fcbhIXy4eTOh+TCXlTaNNKaeBsWTrc3yfukgZgyK5MIG4TRES7U++xslZBWfRBqujB2T mLYc8T9/oqb4O2fUJzrNleDdtyIxNZGZrymCYEdGX8KxqNtOBJlTrLw6un1YepTVHl0O8D Kl9kbHX4o/nJxSFjPNgcD/e50JWxiHZhm6xUpqvePCAA6kGcYo+Ex8xB9UZD9modKZHqVp NTqsyEBhatsgzP/+m93WEpiBASSwM0Em/TnCbiqUVIbvj5cE7LgJjC5ZeRqDYSsh0K1Bqo GYpEARYi3iWDPMD7XiqtYg11C09JXaJSLbqa9GAprtYcGzFo7MFhqsa+V1YlFQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4TZSNp0qTpzmtp; Wed, 14 Feb 2024 06:05:46 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 41E65kb4084723; Wed, 14 Feb 2024 06:05:46 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 41E65kLu084720; Wed, 14 Feb 2024 06:05:46 GMT (envelope-from git) Date: Wed, 14 Feb 2024 06:05:46 GMT Message-Id: <202402140605.41E65kLu084720@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Gordon Tetlow Subject: git: 4d354159d150 - releng/14.0 - jail: Fix information leak. List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: gordon X-Git-Repository: src X-Git-Refname: refs/heads/releng/14.0 X-Git-Reftype: branch X-Git-Commit: 4d354159d150789716d529cf5201c6e1e9d28106 Auto-Submitted: auto-generated The branch releng/14.0 has been updated by gordon: URL: https://cgit.FreeBSD.org/src/commit/?id=4d354159d150789716d529cf5201c6e1e9d28106 commit 4d354159d150789716d529cf5201c6e1e9d28106 Author: Pawel Jakub Dawidek AuthorDate: 2024-01-17 17:43:55 +0000 Commit: Gordon Tetlow CommitDate: 2024-02-14 05:53:05 +0000 jail: Fix information leak. There is a lack of proper visibility checking in kern.ttys sysctl handler which leads to information leak about processes outside the current jail. This can be demonstrated with pstat -t: when called from within a jail, it will output all terminal devices including process groups and session leader process IDs: jail# pstat -t | grep pts/ | head LINE INQ CAN LIN LOW OUTQ USE LOW COL SESS PGID STATE pts/2 1920 0 0 192 1984 0 199 0 4132 27245 Oi pts/3 1920 0 0 192 1984 0 199 16 24890 33627 Oi pts/5 0 0 0 0 0 0 0 25 17758 0 G pts/16 0 0 0 0 0 0 0 0 52495 0 G pts/15 0 0 0 0 0 0 0 25 53446 0 G pts/17 0 0 0 0 0 0 0 6702 33230 0 G pts/19 0 0 0 0 0 0 0 14 1116 0 G pts/0 0 0 0 0 0 0 0 0 2241 0 G pts/23 0 0 0 0 0 0 0 20 15639 0 G pts/6 0 0 0 0 0 0 0 0 44062 93792 G jail# pstat -t | grep pts/ | wc -l 85 Devfs does the filtering correctly and we get only one entry: jail# ls /dev/pts/ 2 Approved by: mzaborski, secteam MFC after: 1 week Sponsored by: Fudo Security Approved by: so Security: FreeBSD-SA-24:02.tty Security: CVE-2024-25941 (cherry picked from commit f1d0a0cbecf2c688061f35adea85bfb29c9ec893) (cherry picked from commit a376108029a20f4ce51476d98f2483a7008ce7b5) (cherry picked from commit 41ac0b4ce00bae061164384f23356a4df6e0e695) (cherry picked from commit 215bb03edc541634ec3fd9b01b55d7396b14d9cf) --- sys/kern/tty.c | 26 ++++++++++++++++++++++---- 1 file changed, 22 insertions(+), 4 deletions(-) diff --git a/sys/kern/tty.c b/sys/kern/tty.c index 620233947410..673904570b86 100644 --- a/sys/kern/tty.c +++ b/sys/kern/tty.c @@ -44,6 +44,7 @@ #ifdef COMPAT_43TTY #include #endif /* COMPAT_43TTY */ +#include #include #include #include @@ -1307,9 +1308,11 @@ static int sysctl_kern_ttys(SYSCTL_HANDLER_ARGS) { unsigned long lsize; + struct thread *td = curthread; struct xtty *xtlist, *xt; struct tty *tp; - int error; + struct proc *p; + int cansee, error; sx_slock(&tty_list_sx); lsize = tty_list_count * sizeof(struct xtty); @@ -1322,13 +1325,28 @@ sysctl_kern_ttys(SYSCTL_HANDLER_ARGS) TAILQ_FOREACH(tp, &tty_list, t_list) { tty_lock(tp); - tty_to_xtty(tp, xt); + if (tp->t_session != NULL) { + p = tp->t_session->s_leader; + PROC_LOCK(p); + cansee = (p_cansee(td, p) == 0); + PROC_UNLOCK(p); + } else { + cansee = !jailed(td->td_ucred); + } + if (cansee) { + tty_to_xtty(tp, xt); + xt++; + } tty_unlock(tp); - xt++; } sx_sunlock(&tty_list_sx); - error = SYSCTL_OUT(req, xtlist, lsize); + lsize = (xt - xtlist) * sizeof(struct xtty); + if (lsize > 0) { + error = SYSCTL_OUT(req, xtlist, lsize); + } else { + error = 0; + } free(xtlist, M_TTY); return (error); }