Closed Bug 1405891 Opened 7 years ago Closed 7 years ago

Block tty ioctls like TIOCSTI in Linux content processes

Tracking

()

Status:

RESOLVED FIXED

Milestone:

mozilla58

Tracking Flags:

Tracking

Status

firefox58

---

fixed

People

(Reporter: jld, Assigned: jld)

References

(Blocks 1 open bug)

Details

(Whiteboard: sb+)

Attachments

(1 file)

Bug 1405891 - Block tty-related ioctl()s in sandboxed content processes. 7 years ago Jed Davis [:jld] ⟨⏰\|UTC-8⟩ ⟦he/him⟧ 59 bytes, text/x-review-board-request	gcp : review+	Details

Jed Davis [:jld] ⟨⏰|UTC-8⟩ ⟦he/him⟧

Assignee

Description

•

7 years ago

I'd like to eventually restrict ioctl() in Linux content processes with a default-deny policy, but that may need some iteration to deal with breakage in unusual considerations. However, one thing we can do now is to block tty ioctls, including and especially TIOCSTI, as mentioned in bug 1302711 and CVE-2016-9016. It's not the worst sandbox escape we have at the time of this writing, but it has a very simple fix with relatively little scope for collateral damage.

Comment hidden (mozreview-request)

Jim Mathies [:jimm]

Updated

•

7 years ago

status-firefox58: affected → ---

Priority: P2 → P1

Whiteboard: sb+

Gian-Carlo Pascutto [:gcp]

Comment 2

•

7 years ago

mozreview-review

Comment on attachment 8915464 [details] Bug 1405891 - Block tty-related ioctl()s in sandboxed content processes. https://reviewboard.mozilla.org/r/186664/#review191930 ::: security/sandbox/linux/SandboxFilter.cpp:717 (Diff revision 1) > case __NR_readahead: > #endif > return Allow(); > > - case __NR_ioctl: > - // ioctl() is for GL. Remove when GL proxy is implemented. > + case __NR_ioctl: { > + static const unsigned long kTypeMask = 0xff00; I'd like a reference here where these magic numbers come from.

Attachment #8915464 - Flags: review?(gpascutto) → review+

Comment hidden (mozreview-request)

Jed Davis [:jld] ⟨⏰|UTC-8⟩ ⟦he/him⟧

Assignee

Comment 4

•

7 years ago

Comment on attachment 8915464 [details] Bug 1405891 - Block tty-related ioctl()s in sandboxed content processes. I changed how the constants are computed, and improved the comment.

Attachment #8915464 - Flags: review+ → review?(gpascutto)

Gian-Carlo Pascutto [:gcp]

Comment 5

•

7 years ago

mozreview-review

Comment on attachment 8915464 [details] Bug 1405891 - Block tty-related ioctl()s in sandboxed content processes. https://reviewboard.mozilla.org/r/186664/#review192350

Attachment #8915464 - Flags: review?(gpascutto) → review+

Pulsebot

Comment 6

•

7 years ago

Pushed by jedavis@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/fb637352a959 Block tty-related ioctl()s in sandboxed content processes. r=gcp

Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)

Comment 7

•

7 years ago

bugherder

https://hg.mozilla.org/mozilla-central/rev/fb637352a959

Status: NEW → RESOLVED

Closed: 7 years ago

status-firefox58: --- → fixed

Resolution: --- → FIXED

Target Milestone: --- → mozilla58

Jed Davis [:jld] ⟨⏰|UTC-8⟩ ⟦he/him⟧

Assignee

Updated

•

7 years ago

Depends on: 1408493

Jed Davis [:jld] ⟨⏰|UTC-8⟩ ⟦he/him⟧

Assignee

Updated

•

7 years ago

Depends on: 1408498

Matthew Gregan [:kinetik]

Updated

•

7 years ago

Depends on: 1435523

Jed Davis [:jld] ⟨⏰|UTC-8⟩ ⟦he/him⟧

Assignee

Updated

•

7 years ago

No longer depends on: 1435523

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Block tty ioctls like TIOCSTI in Linux content processes

Categories

(Core :: Security: Process Sandboxing, enhancement, P1)

Tracking

()

People

(Reporter: jld, Assigned: jld)

References

(Blocks 1 open bug)

Details

(Whiteboard: sb+)

Crash Data

Security

(public)

User Story

Attachments

(1 file)

Description

Comment 1

Updated

Comment 2

Comment 3

Comment 4

Comment 5

Comment 6

Comment 7

Updated

Updated

Updated

Updated

Attachment

General

Description

File Name

Content Type