DragonFlyBSD Kernel Audit
DF-0005 / fix.diff
← back to finding ↓ download raw
diff --git a/sys/kern/tty.c b/sys/kern/tty.c
--- a/sys/kern/tty.c
+++ b/sys/kern/tty.c
@@ -104,6 +104,16 @@
 
 MALLOC_DEFINE(M_TTYS, "ttys", "tty data structures");
 
+/*
+ * kern.tty_tiocsti -- global killswitch for the TIOCSTI terminal-input-
+ * injection ioctl. Default 1 (historical behavior). Set to 0 to deny
+ * TIOCSTI system-wide so unprivileged users cannot push arbitrary bytes
+ * into a controlling terminal input queue (confused-deputy defense).
+ */
+static int	tty_tiocsti_enable = 1;
+SYSCTL_INT(_kern, OID_AUTO, tty_tiocsti, CTLFLAG_RW, &tty_tiocsti_enable,
+    0, "Enable TIOCSTI terminal input injection (0=deny, 1=allow)");
+
 static int	proc_compare (struct proc *p1, struct proc *p2);
 static int	ttnread (struct tty *tp);
 static void	ttyecho (int c, struct tty *tp);
@@ -1156,6 +1166,11 @@
 		}
 		break;
 	case TIOCSTI:			/* simulate terminal input */
+		if (!tty_tiocsti_enable) {
+			lwkt_reltoken(&p->p_token);
+			lwkt_reltoken(&tp->t_token);
+			return (EPERM);
+		}
 		if ((flag & FREAD) == 0 &&
 		    caps_priv_check_td(td, SYSCAP_RESTRICTEDROOT))
 		{