From af9047c60a3db32d5e43c29321f8f531db051a63 Mon Sep 17 00:00:00 2001 From: Dmitry Vyukov Date: Thu, 19 Dec 2019 19:31:04 +0100 Subject: sys/linux: prohibit TIOCSSERIAL Replace TIOCSSERIAL with TIOCGSERIAL. TIOCSSERIAL can do nasty things under root, like causing writes to random memory pretty much like /dev/mem, but this is also working as intended. For details see: https://groups.google.com/g/syzkaller-bugs/c/1rVENJf9P4U/m/QtGpapRxAgAJ https://syzkaller.appspot.com/bug?extid=f4f1e871965064ae689e TODO: TIOCSSERIAL does some other things that are not dangerous and would be nice to test, if/when we can sanitize based on sandbox value we could prohibit it only under sandbox=none. --- sys/linux/init_test.go | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) (limited to 'sys/linux/init_test.go') diff --git a/sys/linux/init_test.go b/sys/linux/init_test.go index 4358bef35..44a31149c 100644 --- a/sys/linux/init_test.go +++ b/sys/linux/init_test.go @@ -106,8 +106,7 @@ mknod(0x0, 0xc000, 0x0) mknod(0x0, 0x2000, 0x0) mknod(0x0, 0x6000, 0x0) mknod(0x0, 0x6000, 0x700) -`, - ` +`, ` mknod(0x0, 0x1000, 0x0) mknod(0x0, 0x8000, 0x0) mknod(0x0, 0xc000, 0x0) @@ -125,8 +124,7 @@ exit(0xc3) exit_group(0x5a) exit_group(0x43) exit_group(0x443) -`, - ` +`, ` exit(0x3) exit(0x1) exit(0x1) @@ -143,14 +141,13 @@ syz_open_procfs(0x0, &(0x7f0000000000)='exe') syz_open_procfs(0x0, &(0x7f0000000000)='exe\x00') syz_open_procfs(0x0, &(0x7f0000000000)='/exe') syz_open_procfs(0x0, &(0x7f0000000000)='./exe\x00') -`, - ` +`, ` syz_open_procfs(0x0, &(0x7f0000000000)='io') syz_open_procfs(0x0, &(0x7f0000000000)='net\x00') syz_open_procfs(0x0, &(0x7f0000000000)='net\x00') syz_open_procfs(0x0, &(0x7f0000000000)='net\x00') syz_open_procfs(0x0, &(0x7f0000000000)='net\x00') - `, +`, }, { @@ -163,7 +160,11 @@ syz_open_dev$tty1(0xc, 0x4, 0x5) syz_open_dev$tty1(0xc, 0x4, 0x4) syz_open_dev$tty1(0xc, 0x4, 0x4) syz_open_dev$tty1(0xc, 0x4, 0x1) - `, +`, + }, + { + `ioctl$TIOCSSERIAL(0x0, 0x541f, 0x0)`, + `ioctl$TIOCSSERIAL(0x0, 0x541e, 0x0)`, }, } for i, test := range tests { -- cgit mrf-deployment