CVE-2016-7545

author: netblue30 <netblue30@yahoo.com> 2016-09-27 10:38:21 -0400
committer: netblue30 <netblue30@yahoo.com> 2016-09-27 10:38:21 -0400
commit: ae0e5b667d7756f5a4e318c37aefb0a827abbf25 (patch)
tree: daa54e1446a1a288a185c1acdd0741cf3b8c85cc
parent: more CVE-2016-7545 (diff)
download: firejail-ae0e5b667d7756f5a4e318c37aefb0a827abbf25.tar.gz
firejail-ae0e5b667d7756f5a4e318c37aefb0a827abbf25.tar.zst
firejail-ae0e5b667d7756f5a4e318c37aefb0a827abbf25.zip
5 files changed, 23 insertions, 40 deletions
diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index e76f54ec3..4e92f3e89 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -455,6 +455,7 @@ void invalid_filename(const char *fname);
 uid_t get_tty_gid(void);
 uid_t get_audio_gid(void);
 int remove_directory(const char *path);
+void flush_stdin(void);
 // fs_var.c
 void fs_var_log(void);  // mounting /var/log
diff --git a/src/firejail/join.c b/src/firejail/join.c
index 414b899ce..f11d85cfe 100644
--- a/src/firejail/join.c
+++ b/src/firejail/join.c
@@ -386,6 +386,7 @@ void join(pid_t pid, int argc, char **argv, int index) {
        // wait for the child to finish
        waitpid(child, NULL, 0);
+        flush_stdin();
        exit(0);
 }
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 81765e3ff..bf73656d2 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -35,8 +35,6 @@
 #include <signal.h>
 #include <time.h>
 #include <net/if.h>
-#include <sys/ioctl.h>
-#include <termios.h>
 #if 0
 #include <sys/times.h>
@@ -143,18 +141,7 @@ static void myexit(int rv) {
        EUID_ROOT();
        clear_run_files(sandbox_pid);
        appimage_clear();
+        flush_stdin();
-        int fd = open("/dev/tty", O_RDWR);
-        if (fd != -1) {
-                ioctl(fd, TCFLSH, TCIFLUSH);
-                close(fd);
-        } else {
-                fprintf(stderr, "Warning: can't open /dev/tty, flushing stdin, stdout and stderr file descriptors instead\n");
-                ioctl(0, TCFLSH, TCIFLUSH);
-                ioctl(1, TCFLSH, TCIFLUSH);
-                ioctl(2, TCFLSH, TCIFLUSH);
-        }
-                
        exit(rv); 
 }
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index a348add34..cd81b0b11 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -28,8 +28,6 @@
 #include <sys/types.h>
 #include <dirent.h>
 #include <errno.h>
-#include <sys/ioctl.h>
-#include <termios.h>
 #include <fcntl.h>
 #include <sched.h>
@@ -86,18 +84,8 @@ static void sandbox_handler(int sig){
        // broadcast a SIGKILL
        kill(-1, SIGKILL);
-#if 0   
+        flush_stdin();
-        int fd = open("/dev/tty", O_RDWR);
-        if (fd != -1) {
-                ioctl(fd, TCFLSH, TCIFLUSH);
-                close(fd);
-        } else {
-                fprintf(stderr, "Warning: can't open /dev/tty, flushing stdin, stdout and stderr file descriptors instead\n");
-                ioctl(0, TCFLSH, TCIFLUSH);
-                ioctl(1, TCFLSH, TCIFLUSH);
-                ioctl(2, TCFLSH, TCIFLUSH);
-        }
-#endif
        exit(sig);
 }
@@ -908,18 +896,9 @@ int sandbox(void* sandbox_arg) {
        }
        int status = monitor_application(app_pid);      // monitor application
-#if 0   
+        flush_stdin();
-        int fd = open("/dev/tty", O_RDWR);
-        if (fd != -1) {
-                ioctl(fd, TCFLSH, TCIFLUSH);
-                close(fd);
-        } else {
-                fprintf(stderr, "Warning: can't open /dev/tty, flushing stdin, stdout and stderr file descriptors instead\n");
-                ioctl(0, TCFLSH, TCIFLUSH);
-                ioctl(1, TCFLSH, TCIFLUSH);
-                ioctl(2, TCFLSH, TCIFLUSH);
-        }
-#endif
        if (WIFEXITED(status)) {
                // if we had a proper exit, return that exit status
diff --git a/src/firejail/util.c b/src/firejail/util.c
index 5b407eaf5..7aa0ae0e8 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -26,6 +26,8 @@
 #include <errno.h>
 #include <dirent.h>
 #include <grp.h>
+#include <sys/ioctl.h>
+#include <termios.h>
 #define MAX_GROUPS 1024
 // drop privileges
@@ -686,3 +688,16 @@ int remove_directory(const char *path) {
        // FTW_PHYS - do not follow symbolic links
        return nftw(path, remove_callback, 64, FTW_DEPTH | FTW_PHYS);
 }
+void flush_stdin(void) {
+        if (isatty(STDIN_FILENO)) {
+                int cnt = 0;
+                ioctl(STDIN_FILENO, FIONREAD, &cnt);
+                if (cnt) {
+                        if (!arg_quiet)
+                                printf("Warning: removing %d bytes from stdin\n", cnt);
+                        ioctl(STDIN_FILENO, TCFLSH, TCIFLUSH);
+                }
+        }
+}
author	netblue30 <netblue30@yahoo.com>	2016-09-27 10:38:21 -0400
committer	netblue30 <netblue30@yahoo.com>	2016-09-27 10:38:21 -0400
commit	ae0e5b667d7756f5a4e318c37aefb0a827abbf25 (patch)
tree	daa54e1446a1a288a185c1acdd0741cf3b8c85cc
parent	more CVE-2016-7545 (diff)
download	firejail-ae0e5b667d7756f5a4e318c37aefb0a827abbf25.tar.gz firejail-ae0e5b667d7756f5a4e318c37aefb0a827abbf25.tar.zst firejail-ae0e5b667d7756f5a4e318c37aefb0a827abbf25.zip

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h index e76f54ec3..4e92f3e89 100644 --- a/src/firejail/firejail.h +++ b/src/firejail/firejail.h
@@ -455,6 +455,7 @@ void invalid_filename(const char *fname);
455	uid_t get_tty_gid(void);	455	uid_t get_tty_gid(void);
456	uid_t get_audio_gid(void);	456	uid_t get_audio_gid(void);
457	int remove_directory(const char *path);	457	int remove_directory(const char *path);
		458	void flush_stdin(void);
458		459
459	// fs_var.c	460	// fs_var.c
460	void fs_var_log(void); // mounting /var/log	461	void fs_var_log(void); // mounting /var/log


diff --git a/src/firejail/join.c b/src/firejail/join.c index 414b899ce..f11d85cfe 100644 --- a/src/firejail/join.c +++ b/src/firejail/join.c
@@ -386,6 +386,7 @@ void join(pid_t pid, int argc, char **argv, int index) {
386		386
387	// wait for the child to finish	387	// wait for the child to finish
388	waitpid(child, NULL, 0);	388	waitpid(child, NULL, 0);
		389	flush_stdin();
389	exit(0);	390	exit(0);
390	}	391	}
391		392


diff --git a/src/firejail/main.c b/src/firejail/main.c index 81765e3ff..bf73656d2 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -35,8 +35,6 @@
35	#include <signal.h>	35	#include <signal.h>
36	#include <time.h>	36	#include <time.h>
37	#include <net/if.h>	37	#include <net/if.h>
38	#include <sys/ioctl.h>
39	#include <termios.h>
40		38
41	#if 0	39	#if 0
42	#include <sys/times.h>	40	#include <sys/times.h>
@@ -143,18 +141,7 @@ static void myexit(int rv) {
143	EUID_ROOT();	141	EUID_ROOT();
144	clear_run_files(sandbox_pid);	142	clear_run_files(sandbox_pid);
145	appimage_clear();	143	appimage_clear();
146		144	flush_stdin();
147	int fd = open("/dev/tty", O_RDWR);
148	if (fd != -1) {
149	ioctl(fd, TCFLSH, TCIFLUSH);
150	close(fd);
151	} else {
152	fprintf(stderr, "Warning: can't open /dev/tty, flushing stdin, stdout and stderr file descriptors instead\n");
153	ioctl(0, TCFLSH, TCIFLUSH);
154	ioctl(1, TCFLSH, TCIFLUSH);
155	ioctl(2, TCFLSH, TCIFLUSH);
156	}
157
158	exit(rv);	145	exit(rv);
159	}	146	}
160		147


diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c index a348add34..cd81b0b11 100644 --- a/src/firejail/sandbox.c +++ b/src/firejail/sandbox.c
@@ -28,8 +28,6 @@
28	#include <sys/types.h>	28	#include <sys/types.h>
29	#include <dirent.h>	29	#include <dirent.h>
30	#include <errno.h>	30	#include <errno.h>
31	#include <sys/ioctl.h>
32	#include <termios.h>
33	#include <fcntl.h>	31	#include <fcntl.h>
34		32
35	#include <sched.h>	33	#include <sched.h>
@@ -86,18 +84,8 @@ static void sandbox_handler(int sig){
86		84
87	// broadcast a SIGKILL	85	// broadcast a SIGKILL
88	kill(-1, SIGKILL);	86	kill(-1, SIGKILL);
89	#if 0	87	flush_stdin();
90	int fd = open("/dev/tty", O_RDWR);	88
91	if (fd != -1) {
92	ioctl(fd, TCFLSH, TCIFLUSH);
93	close(fd);
94	} else {
95	fprintf(stderr, "Warning: can't open /dev/tty, flushing stdin, stdout and stderr file descriptors instead\n");
96	ioctl(0, TCFLSH, TCIFLUSH);
97	ioctl(1, TCFLSH, TCIFLUSH);
98	ioctl(2, TCFLSH, TCIFLUSH);
99	}
100	#endif
101	exit(sig);	89	exit(sig);
102	}	90	}
103		91
@@ -908,18 +896,9 @@ int sandbox(void* sandbox_arg) {
908	}	896	}
909		897
910	int status = monitor_application(app_pid); // monitor application	898	int status = monitor_application(app_pid); // monitor application
911	#if 0	899	flush_stdin();
912	int fd = open("/dev/tty", O_RDWR);	900
913	if (fd != -1) {	901
914	ioctl(fd, TCFLSH, TCIFLUSH);
915	close(fd);
916	} else {
917	fprintf(stderr, "Warning: can't open /dev/tty, flushing stdin, stdout and stderr file descriptors instead\n");
918	ioctl(0, TCFLSH, TCIFLUSH);
919	ioctl(1, TCFLSH, TCIFLUSH);
920	ioctl(2, TCFLSH, TCIFLUSH);
921	}
922	#endif
923		902
924	if (WIFEXITED(status)) {	903	if (WIFEXITED(status)) {
925	// if we had a proper exit, return that exit status	904	// if we had a proper exit, return that exit status


diff --git a/src/firejail/util.c b/src/firejail/util.c index 5b407eaf5..7aa0ae0e8 100644 --- a/src/firejail/util.c +++ b/src/firejail/util.c
@@ -26,6 +26,8 @@
26	#include <errno.h>	26	#include <errno.h>
27	#include <dirent.h>	27	#include <dirent.h>
28	#include <grp.h>	28	#include <grp.h>
		29	#include <sys/ioctl.h>
		30	#include <termios.h>
29		31
30	#define MAX_GROUPS 1024	32	#define MAX_GROUPS 1024
31	// drop privileges	33	// drop privileges
@@ -686,3 +688,16 @@ int remove_directory(const char *path) {
686	// FTW_PHYS - do not follow symbolic links	688	// FTW_PHYS - do not follow symbolic links
687	return nftw(path, remove_callback, 64, FTW_DEPTH \| FTW_PHYS);	689	return nftw(path, remove_callback, 64, FTW_DEPTH \| FTW_PHYS);
688	}	690	}
		691
		692	void flush_stdin(void) {
		693	if (isatty(STDIN_FILENO)) {
		694	int cnt = 0;
		695	ioctl(STDIN_FILENO, FIONREAD, &cnt);
		696	if (cnt) {
		697	if (!arg_quiet)
		698	printf("Warning: removing %d bytes from stdin\n", cnt);
		699	ioctl(STDIN_FILENO, TCFLSH, TCIFLUSH);
		700	}
		701	}
		702	}
		703