diff --git a/sys/kern/tty.c b/sys/kern/tty.c --- a/sys/kern/tty.c +++ b/sys/kern/tty.c @@ -104,6 +104,16 @@ MALLOC_DEFINE(M_TTYS, "ttys", "tty data structures"); +/* + * kern.tty_tiocsti -- global killswitch for the TIOCSTI terminal-input- + * injection ioctl. Default 1 (historical behavior). Set to 0 to deny + * TIOCSTI system-wide so unprivileged users cannot push arbitrary bytes + * into a controlling terminal input queue (confused-deputy defense). + */ +static int tty_tiocsti_enable = 1; +SYSCTL_INT(_kern, OID_AUTO, tty_tiocsti, CTLFLAG_RW, &tty_tiocsti_enable, + 0, "Enable TIOCSTI terminal input injection (0=deny, 1=allow)"); + static int proc_compare (struct proc *p1, struct proc *p2); static int ttnread (struct tty *tp); static void ttyecho (int c, struct tty *tp); @@ -1156,6 +1166,11 @@ } break; case TIOCSTI: /* simulate terminal input */ + if (!tty_tiocsti_enable) { + lwkt_reltoken(&p->p_token); + lwkt_reltoken(&tp->t_token); + return (EPERM); + } if ((flag & FREAD) == 0 && caps_priv_check_td(td, SYSCAP_RESTRICTEDROOT)) {