1
0
mirror of https://git.FreeBSD.org/src.git synced 2024-12-22 11:17:19 +00:00

Fix bug in the readpassphrase(3) function, which can be exposed

by application closing its stdin (i.e. STDIN_FILENO) prior to
calling readpassphrase WITHOUT setting RPP_STDIN. What happens
then is that the readpassphrase would open /dev/tty, and since
file descriptors are reused, the call would return first unused
fd, which is 0 which is also STDIN_FILENO. Then due to the usage
of "input != STDIN_FILENO" in the code to do its logic, that
would result in noecho flags not set on that file descriptor,
which was original issue I've been trying to fix.

In addition to that, the readpassphrase() would leak file
descriptor on its way out, so fix that one as well.

This problem can be tested with:

 $ ssh-add - < /tmp/myprivate.key

The password will not be hidden as it should and ktrace will
show:

 53326 ssh-add  CALL  open(0x80142443c,0x100002<O_RDWR|O_CLOEXEC>,<unused>0x165f030)
 53326 ssh-add  NAMI  "/dev/tty"
 53326 ssh-add  RET   open 0
 53326 ssh-add  CALL  sigprocmask(SIG_SETMASK,0x802eb1324,0x7fffffffd5e0)
 53326 ssh-add  RET   sigprocmask 0
 53326 ssh-add  CALL  sigaction(SIGALRM,0x7fffffffd630,0x7fffffffd610)

Instead of:

 57690 ssh-add  CALL  open(0x80142443c,0x100002<O_RDWR|O_CLOEXEC>,<unused>0x165f030)
 57690 ssh-add  NAMI  "/dev/tty"
 57690 ssh-add  RET   open 4
 57690 ssh-add  CALL  ioctl(0x4,TIOCGETA,0x7fffffffd860)
 57690 ssh-add  RET   ioctl 0
 57690 ssh-add  CALL  ioctl(0x4,TIOCSETAF,0x7fffffffd680)
 57690 ssh-add  RET   ioctl 0
 57690 ssh-add  CALL  sigprocmask(SIG_SETMASK,0x802eb1324,0x7fffffffd620)
 57690 ssh-add  RET   sigprocmask 0
 57690 ssh-add  CALL  sigaction(SIGALRM,0x7fffffffd670,0x7fffffffd650)

For the case when the key is read from the file.

Technically this can also be workaround'ed at the application side
by not closing the STDIN_FILENO in the first place, but readpassphrase(3)
doesn't need to make any assumptions about that. Plus the file descriptor
leak confirms that this is an oversight, rather than a deliberate behaviour.

MFC after:	1 week
This commit is contained in:
Maxim Sobolev 2016-01-24 22:20:13 +00:00
parent c7f6ce2800
commit 18a2ccd22d
Notes: svn2git 2020-12-20 02:59:44 +00:00
svn path=/head/; revision=294691

View File

@ -46,7 +46,7 @@ char *
readpassphrase(const char *prompt, char *buf, size_t bufsiz, int flags)
{
ssize_t nr;
int input, output, save_errno, i, need_restart;
int input, output, save_errno, i, need_restart, input_is_tty;
char ch, *p, *end;
struct termios term, oterm;
struct sigaction sa, savealrm, saveint, savehup, savequit, saveterm;
@ -68,14 +68,22 @@ readpassphrase(const char *prompt, char *buf, size_t bufsiz, int flags)
* Read and write to /dev/tty if available. If not, read from
* stdin and write to stderr unless a tty is required.
*/
if ((flags & RPP_STDIN) ||
(input = output = _open(_PATH_TTY, O_RDWR | O_CLOEXEC)) == -1) {
input_is_tty = 0;
if (!(flags & RPP_STDIN)) {
input = output = _open(_PATH_TTY, O_RDWR | O_CLOEXEC);
if (input == -1) {
if (flags & RPP_REQUIRE_TTY) {
errno = ENOTTY;
return(NULL);
}
input = STDIN_FILENO;
output = STDERR_FILENO;
} else {
input_is_tty = 1;
}
} else {
input = STDIN_FILENO;
output = STDERR_FILENO;
}
/*
@ -83,7 +91,7 @@ readpassphrase(const char *prompt, char *buf, size_t bufsiz, int flags)
* If we are using a tty but are not the foreground pgrp this will
* generate SIGTTOU, so do it *before* installing the signal handlers.
*/
if (input != STDIN_FILENO && tcgetattr(input, &oterm) == 0) {
if (input_is_tty && tcgetattr(input, &oterm) == 0) {
memcpy(&term, &oterm, sizeof(term));
if (!(flags & RPP_ECHO_ON))
term.c_lflag &= ~(ECHO | ECHONL);
@ -152,7 +160,7 @@ readpassphrase(const char *prompt, char *buf, size_t bufsiz, int flags)
(void)__libc_sigaction(SIGTSTP, &savetstp, NULL);
(void)__libc_sigaction(SIGTTIN, &savettin, NULL);
(void)__libc_sigaction(SIGTTOU, &savettou, NULL);
if (input != STDIN_FILENO)
if (input_is_tty)
(void)_close(input);
/*