From bde9fae007dd3c4b802c1652a7d7cbabf0aec237 Mon Sep 17 00:00:00 2001
From: Aleksey Manevich <manevich.aleksey@gmail.com>
Date: Mon, 26 Sep 2016 21:33:39 +0300
Subject: CVE-2016-7545

---
 src/firejail/main.c    | 12 +++++++++++-
 src/firejail/sandbox.c | 23 +++++++++++++++++++++--
 2 files changed, 32 insertions(+), 3 deletions(-)

diff --git a/src/firejail/main.c b/src/firejail/main.c
index 135ff17d8..81765e3ff 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -143,7 +143,17 @@ static void myexit(int rv) {
 	EUID_ROOT();
 	clear_run_files(sandbox_pid);
 	appimage_clear();
-	ioctl(0, TCFLSH, TCIFLUSH);
+
+	int fd = open("/dev/tty", O_RDWR);
+	if (fd != -1) {
+		ioctl(fd, TCFLSH, TCIFLUSH);
+		close(fd);
+	} else {
+		fprintf(stderr, "Warning: can't open /dev/tty, flushing stdin, stdout and stderr file descriptors instead\n");
+		ioctl(0, TCFLSH, TCIFLUSH);
+		ioctl(1, TCFLSH, TCIFLUSH);
+		ioctl(2, TCFLSH, TCIFLUSH);
+	}
 		
 	exit(rv); 
 }
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 08296d823..272737c06 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -30,6 +30,7 @@
 #include <errno.h>
 #include <sys/ioctl.h>
 #include <termios.h>
+#include <fcntl.h>
 
 #include <sched.h>
 #ifndef CLONE_NEWUSER
@@ -85,7 +86,16 @@ static void sandbox_handler(int sig){
 
 	// broadcast a SIGKILL
 	kill(-1, SIGKILL);
-	ioctl(0, TCFLSH, TCIFLUSH);
+	int fd = open("/dev/tty", O_RDWR);
+	if (fd != -1) {
+		ioctl(fd, TCFLSH, TCIFLUSH);
+		close(fd);
+	} else {
+		fprintf(stderr, "Warning: can't open /dev/tty, flushing stdin, stdout and stderr file descriptors instead\n");
+		ioctl(0, TCFLSH, TCIFLUSH);
+		ioctl(1, TCFLSH, TCIFLUSH);
+		ioctl(2, TCFLSH, TCIFLUSH);
+	}
 	exit(sig);
 }
 
@@ -896,7 +906,16 @@ int sandbox(void* sandbox_arg) {
 	}
 
 	int status = monitor_application(app_pid);	// monitor application
-	ioctl(0, TCFLSH, TCIFLUSH);
+	int fd = open("/dev/tty", O_RDWR);
+	if (fd != -1) {
+		ioctl(fd, TCFLSH, TCIFLUSH);
+		close(fd);
+	} else {
+		fprintf(stderr, "Warning: can't open /dev/tty, flushing stdin, stdout and stderr file descriptors instead\n");
+		ioctl(0, TCFLSH, TCIFLUSH);
+		ioctl(1, TCFLSH, TCIFLUSH);
+		ioctl(2, TCFLSH, TCIFLUSH);
+	}
 
 	if (WIFEXITED(status)) {
 		// if we had a proper exit, return that exit status
-- 
cgit v1.2.3-70-g09d2