From af9047c60a3db32d5e43c29321f8f531db051a63 Mon Sep 17 00:00:00 2001 From: Dmitry Vyukov Date: Thu, 19 Dec 2019 19:31:04 +0100 Subject: sys/linux: prohibit TIOCSSERIAL Replace TIOCSSERIAL with TIOCGSERIAL. TIOCSSERIAL can do nasty things under root, like causing writes to random memory pretty much like /dev/mem, but this is also working as intended. For details see: https://groups.google.com/g/syzkaller-bugs/c/1rVENJf9P4U/m/QtGpapRxAgAJ https://syzkaller.appspot.com/bug?extid=f4f1e871965064ae689e TODO: TIOCSSERIAL does some other things that are not dangerous and would be nice to test, if/when we can sanitize based on sandbox value we could prohibit it only under sandbox=none. --- sys/linux/init.go | 48 ++++++++++++++++++++++++++++++------------------ 1 file changed, 30 insertions(+), 18 deletions(-) (limited to 'sys/linux/init.go') diff --git a/sys/linux/init.go b/sys/linux/init.go index 91bf32be8..fe214156e 100644 --- a/sys/linux/init.go +++ b/sys/linux/init.go @@ -42,6 +42,8 @@ func InitTarget(target *prog.Target) { AF_NETROM: target.GetConst("AF_NETROM"), AF_ROSE: target.GetConst("AF_ROSE"), USB_MAJOR: target.GetConst("USB_MAJOR"), + TIOCSSERIAL: target.GetConst("TIOCSSERIAL"), + TIOCGSERIAL: target.GetConst("TIOCGSERIAL"), // These are not present on all arches. ARCH_SET_FS: target.ConstMap["ARCH_SET_FS"], ARCH_SET_GS: target.ConstMap["ARCH_SET_GS"], @@ -142,6 +144,8 @@ type arch struct { AF_NETROM uint64 AF_ROSE uint64 USB_MAJOR uint64 + TIOCSSERIAL uint64 + TIOCGSERIAL uint64 } func (arch *arch) sanitizeCall(c *prog.Call) { @@ -234,28 +238,36 @@ func enforceIntArg(a prog.Arg) { func (arch *arch) sanitizeIoctl(c *prog.Call) { cmd := c.Args[1].(*prog.ConstArg) - // Freeze kills machine. Though, it is an interesting functions, - // so we need to test it somehow. - // TODO: not required if executor drops privileges. - // Fortunately, the value does not conflict with any other ioctl commands for now. - if uint64(uint32(cmd.Val)) == arch.FIFREEZE { + switch uint64(uint32(cmd.Val)) { + case arch.FIFREEZE: + // Freeze kills machine. Though, it is an interesting functions, + // so we need to test it somehow. + // TODO: not required if executor drops privileges. + // Fortunately, the value does not conflict with any other ioctl commands for now. cmd.Val = arch.FITHAW - } - // SNAPSHOT_FREEZE freezes all processes and leaves the machine dead. - if uint64(uint32(cmd.Val)) == arch.SNAPSHOT_FREEZE { + case arch.SNAPSHOT_FREEZE: + // SNAPSHOT_FREEZE freezes all processes and leaves the machine dead. cmd.Val = arch.SNAPSHOT_UNFREEZE - } - // EXT4_IOC_SHUTDOWN on root fs effectively brings the machine down in weird ways. - // Fortunately, the value does not conflict with any other ioctl commands for now. - if uint64(uint32(cmd.Val)) == arch.EXT4_IOC_SHUTDOWN { + case arch.EXT4_IOC_SHUTDOWN: + // EXT4_IOC_SHUTDOWN on root fs effectively brings the machine down in weird ways. + // Fortunately, the value does not conflict with any other ioctl commands for now. cmd.Val = arch.EXT4_IOC_MIGRATE - } - // EXT4_IOC_RESIZE_FS on root fs can shrink it to 0 (or whatever is the minimum size) - // and then creation of new temp dirs for tests will fail. - // TODO: not necessary for sandbox=namespace as it tests in a tmpfs - // and/or if we mount tmpfs for sandbox=none (#971). - if uint64(uint32(cmd.Val)) == arch.EXT4_IOC_RESIZE_FS { + case arch.EXT4_IOC_RESIZE_FS: + // EXT4_IOC_RESIZE_FS on root fs can shrink it to 0 (or whatever is the minimum size) + // and then creation of new temp dirs for tests will fail. + // TODO: not necessary for sandbox=namespace as it tests in a tmpfs + // and/or if we mount tmpfs for sandbox=none (#971). cmd.Val = arch.EXT4_IOC_MIGRATE + case arch.TIOCSSERIAL: + // TIOCSSERIAL can do nasty things under root, like causing writes to random memory + // pretty much like /dev/mem, but this is also working as intended. + // For details see: + // https://groups.google.com/g/syzkaller-bugs/c/1rVENJf9P4U/m/QtGpapRxAgAJ + // https://syzkaller.appspot.com/bug?extid=f4f1e871965064ae689e + // TODO: TIOCSSERIAL does some other things that are not dangerous + // and would be nice to test, if/when we can sanitize based on sandbox value + // we could prohibit it only under sandbox=none. + cmd.Val = arch.TIOCGSERIAL } } -- cgit mrf-deployment