From a526c2f70cd8c814b2c7b8d3494059c4a20282f8 Mon Sep 17 00:00:00 2001 From: deraadt Date: Thu, 29 Jun 2017 04:10:07 +0000 Subject: [PATCH] Due to risks known for decades, TIOCSTI now performs no action, and simply returns EIO. The base system has been cleaned of TIOCSTI uses (collaboration between anton and I), and the ports tree appears mostly clean. A few stragglers may be discovered and cleaned up later... In a month or so, we should see if the #define can be removed entirely. ok anton tedu, support from millert --- share/man/man4/tty.4 | 9 ++++----- sys/kern/kern_pledge.c | 7 +------ sys/kern/tty.c | 9 ++------- 3 files changed, 7 insertions(+), 18 deletions(-) diff --git a/share/man/man4/tty.4 b/share/man/man4/tty.4 index 1a03c2a7812..d7174600c0a 100644 --- a/share/man/man4/tty.4 +++ b/share/man/man4/tty.4 @@ -1,4 +1,4 @@ -.\" $OpenBSD: tty.4,v 1.47 2016/11/26 11:18:43 mpi Exp $ +.\" $OpenBSD: tty.4,v 1.48 2017/06/29 04:10:07 deraadt Exp $ .\" $NetBSD: tty.4,v 1.4 1996/03/19 04:26:01 paulus Exp $ .\" .\" Copyright (c) 1991, 1992, 1993 @@ -30,7 +30,7 @@ .\" .\" @(#)tty.4 8.3 (Berkeley) 4/19/94 .\" -.Dd $Mdocdate: November 26 2016 $ +.Dd $Mdocdate: June 29 2017 $ .Dt TTY 4 .Os .Sh NAME @@ -276,9 +276,8 @@ Place the current number of characters in the output queue in the integer pointed to by .Fa num . .It Dv TIOCSTI Fa char *cp -Simulate typed input. -Pretend as if the terminal received the character pointed to by -.Fa cp . +Performs no action and returns +.Er EIO . .It Dv TIOCNOTTY Fa void This call is obsolete but left for compatibility. In the past, when a process that didn't have a controlling terminal diff --git a/sys/kern/kern_pledge.c b/sys/kern/kern_pledge.c index 63bb8745846..2d728a962cd 100644 --- a/sys/kern/kern_pledge.c +++ b/sys/kern/kern_pledge.c @@ -1,4 +1,4 @@ -/* $OpenBSD: kern_pledge.c,v 1.215 2017/06/21 17:13:20 deraadt Exp $ */ +/* $OpenBSD: kern_pledge.c,v 1.216 2017/06/29 04:10:07 deraadt Exp $ */ /* * Copyright (c) 2015 Nicholas Marriott @@ -1273,11 +1273,6 @@ pledge_ioctl(struct proc *p, long com, struct file *fp) break; return (0); #endif /* NPTY > 0 */ - case TIOCSTI: /* ksh? csh? */ - if ((p->p_p->ps_pledge & PLEDGE_PROC) && - fp->f_type == DTYPE_VNODE && (vp->v_flag & VISTTY)) - return (0); - break; case TIOCSPGRP: if ((p->p_p->ps_pledge & PLEDGE_PROC) == 0) break; diff --git a/sys/kern/tty.c b/sys/kern/tty.c index 5f965301144..f80e4bd983f 100644 --- a/sys/kern/tty.c +++ b/sys/kern/tty.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tty.c,v 1.133 2017/01/21 05:42:03 guenther Exp $ */ +/* $OpenBSD: tty.c,v 1.134 2017/06/29 04:10:07 deraadt Exp $ */ /* $NetBSD: tty.c,v 1.68.4.2 1996/06/06 16:04:52 thorpej Exp $ */ /*- @@ -733,7 +733,6 @@ ttioctl(struct tty *tp, u_long cmd, caddr_t data, int flag, struct proc *p) case TIOCSETAW: case TIOCSPGRP: case TIOCSTAT: - case TIOCSTI: case TIOCSWINSZ: while (isbackground(pr, tp) && (pr->ps_flags & PS_PPWAIT) == 0 && @@ -962,11 +961,7 @@ ttioctl(struct tty *tp, u_long cmd, caddr_t data, int flag, struct proc *p) splx(s); break; case TIOCSTI: /* simulate terminal input */ - if (p->p_ucred->cr_uid && (flag & FREAD) == 0) - return (EPERM); - if (p->p_ucred->cr_uid && !isctty(pr, tp)) - return (EACCES); - (*linesw[tp->t_line].l_rint)(*(u_char *)data, tp); + return (EIO); break; case TIOCSTOP: /* stop output, like ^S */ s = spltty(); -- 2.20.1