Skip to content

Commit 526677d

Browse files
millertmillert
committed
Check that fd is a character device before calling tcgetattr().
This was missed when the mitigation for CVE-2023-2002 was introduced. Reported by Bjorn Baron.
1 parent 9f2e92d commit 526677d

File tree

1 file changed

+19
-1
lines changed

1 file changed

+19
-1
lines changed

lib/util/term.c

Lines changed: 19 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -225,8 +225,13 @@ sudo_term_noecho_v1(int fd)
225225
{
226226
struct termios term = { 0 };
227227
bool ret = false;
228+
struct stat sb;
228229
debug_decl(sudo_term_noecho, SUDO_DEBUG_UTIL);
229230

231+
/* Avoid calling ioctl on non-device to prevent CVE-2023-2002. */
232+
if (fstat(fd, &sb) != 0 || !S_ISCHR(sb.st_mode))
233+
debug_return_bool(false);
234+
230235
sudo_lock_file(fd, SUDO_LOCK);
231236
if (!changed && tcgetattr(fd, &orig_term) == -1) {
232237
sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO,
@@ -280,9 +285,11 @@ bool
280285
sudo_term_is_raw_v1(int fd)
281286
{
282287
struct termios term = { 0 };
288+
struct stat sb;
283289
debug_decl(sudo_term_is_raw, SUDO_DEBUG_UTIL);
284290

285-
if (!sudo_isatty(fd, NULL))
291+
/* Avoid calling ioctl on non-device to prevent CVE-2023-2002. */
292+
if (fstat(fd, &sb) != 0 || !S_ISCHR(sb.st_mode))
286293
debug_return_bool(false);
287294

288295
sudo_lock_file(fd, SUDO_LOCK);
@@ -306,9 +313,14 @@ sudo_term_raw_v1(int fd, unsigned int flags)
306313
{
307314
struct termios term = { 0 };
308315
bool ret = false;
316+
struct stat sb;
309317
tcflag_t oflag;
310318
debug_decl(sudo_term_raw, SUDO_DEBUG_UTIL);
311319

320+
/* Avoid calling ioctl on non-device to prevent CVE-2023-2002. */
321+
if (fstat(fd, &sb) != 0 || !S_ISCHR(sb.st_mode))
322+
debug_return_bool(false);
323+
312324
sudo_lock_file(fd, SUDO_LOCK);
313325
if (!changed && tcgetattr(fd, &orig_term) == -1) {
314326
sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO,
@@ -358,8 +370,13 @@ sudo_term_cbreak_v2(int fd, bool flush)
358370
const int flags = flush ? (TCSASOFT|TCSAFLUSH) : (TCSASOFT|TCSADRAIN);
359371
struct termios term = { 0 };
360372
bool ret = false;
373+
struct stat sb;
361374
debug_decl(sudo_term_cbreak, SUDO_DEBUG_UTIL);
362375

376+
/* Avoid calling ioctl on non-device to prevent CVE-2023-2002. */
377+
if (fstat(fd, &sb) != 0 || !S_ISCHR(sb.st_mode))
378+
debug_return_bool(false);
379+
363380
sudo_lock_file(fd, SUDO_LOCK);
364381
if (!changed && tcgetattr(fd, &orig_term) == -1) {
365382
sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO,
@@ -468,6 +485,7 @@ sudo_term_copy_v1(int src, int dst)
468485
* Like isatty(3) but stats the fd and stores the result in sb.
469486
* Only calls isatty(3) if fd is a character special device.
470487
* Returns true if a tty, else returns false and sets errno.
488+
* This is mitigation for CVE-2023-2002.
471489
*/
472490
bool
473491
sudo_isatty_v1(int fd, struct stat *sbp)

0 commit comments

Comments
 (0)