From ae0e5b667d7756f5a4e318c37aefb0a827abbf25 Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Tue, 27 Sep 2016 10:38:21 -0400
Subject: CVE-2016-7545

---
 src/firejail/firejail.h |  1 +
 src/firejail/join.c     |  1 +
 src/firejail/main.c     | 15 +--------------
 src/firejail/sandbox.c  | 31 +++++--------------------------
 src/firejail/util.c     | 15 +++++++++++++++
 5 files changed, 23 insertions(+), 40 deletions(-)

(limited to 'src')

diff --git a/src/firejail/firejail.h b/src/firejail/firejail.h
index e76f54ec3..4e92f3e89 100644
--- a/src/firejail/firejail.h
+++ b/src/firejail/firejail.h
@@ -455,6 +455,7 @@ void invalid_filename(const char *fname);
 uid_t get_tty_gid(void);
 uid_t get_audio_gid(void);
 int remove_directory(const char *path);
+void flush_stdin(void);
 
 // fs_var.c
 void fs_var_log(void);	// mounting /var/log
diff --git a/src/firejail/join.c b/src/firejail/join.c
index 414b899ce..f11d85cfe 100644
--- a/src/firejail/join.c
+++ b/src/firejail/join.c
@@ -386,6 +386,7 @@ void join(pid_t pid, int argc, char **argv, int index) {
 
 	// wait for the child to finish
 	waitpid(child, NULL, 0);
+	flush_stdin();
 	exit(0);
 }
 
diff --git a/src/firejail/main.c b/src/firejail/main.c
index 81765e3ff..bf73656d2 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -35,8 +35,6 @@
 #include <signal.h>
 #include <time.h>
 #include <net/if.h>
-#include <sys/ioctl.h>
-#include <termios.h>
 
 #if 0
 #include <sys/times.h>
@@ -143,18 +141,7 @@ static void myexit(int rv) {
 	EUID_ROOT();
 	clear_run_files(sandbox_pid);
 	appimage_clear();
-
-	int fd = open("/dev/tty", O_RDWR);
-	if (fd != -1) {
-		ioctl(fd, TCFLSH, TCIFLUSH);
-		close(fd);
-	} else {
-		fprintf(stderr, "Warning: can't open /dev/tty, flushing stdin, stdout and stderr file descriptors instead\n");
-		ioctl(0, TCFLSH, TCIFLUSH);
-		ioctl(1, TCFLSH, TCIFLUSH);
-		ioctl(2, TCFLSH, TCIFLUSH);
-	}
-		
+	flush_stdin();
 	exit(rv); 
 }
 
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index a348add34..cd81b0b11 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -28,8 +28,6 @@
 #include <sys/types.h>
 #include <dirent.h>
 #include <errno.h>
-#include <sys/ioctl.h>
-#include <termios.h>
 #include <fcntl.h>
 
 #include <sched.h>
@@ -86,18 +84,8 @@ static void sandbox_handler(int sig){
 
 	// broadcast a SIGKILL
 	kill(-1, SIGKILL);
-#if 0	
-	int fd = open("/dev/tty", O_RDWR);
-	if (fd != -1) {
-		ioctl(fd, TCFLSH, TCIFLUSH);
-		close(fd);
-	} else {
-		fprintf(stderr, "Warning: can't open /dev/tty, flushing stdin, stdout and stderr file descriptors instead\n");
-		ioctl(0, TCFLSH, TCIFLUSH);
-		ioctl(1, TCFLSH, TCIFLUSH);
-		ioctl(2, TCFLSH, TCIFLUSH);
-	}
-#endif
+	flush_stdin();
+
 	exit(sig);
 }
 
@@ -908,18 +896,9 @@ int sandbox(void* sandbox_arg) {
 	}
 
 	int status = monitor_application(app_pid);	// monitor application
-#if 0	
-	int fd = open("/dev/tty", O_RDWR);
-	if (fd != -1) {
-		ioctl(fd, TCFLSH, TCIFLUSH);
-		close(fd);
-	} else {
-		fprintf(stderr, "Warning: can't open /dev/tty, flushing stdin, stdout and stderr file descriptors instead\n");
-		ioctl(0, TCFLSH, TCIFLUSH);
-		ioctl(1, TCFLSH, TCIFLUSH);
-		ioctl(2, TCFLSH, TCIFLUSH);
-	}
-#endif
+	flush_stdin();
+
+
 
 	if (WIFEXITED(status)) {
 		// if we had a proper exit, return that exit status
diff --git a/src/firejail/util.c b/src/firejail/util.c
index 5b407eaf5..7aa0ae0e8 100644
--- a/src/firejail/util.c
+++ b/src/firejail/util.c
@@ -26,6 +26,8 @@
 #include <errno.h>
 #include <dirent.h>
 #include <grp.h>
+#include <sys/ioctl.h>
+#include <termios.h>
 
 #define MAX_GROUPS 1024
 // drop privileges
@@ -686,3 +688,16 @@ int remove_directory(const char *path) {
 	// FTW_PHYS - do not follow symbolic links
 	return nftw(path, remove_callback, 64, FTW_DEPTH | FTW_PHYS);
 }
+
+void flush_stdin(void) {
+	if (isatty(STDIN_FILENO)) {
+		int cnt = 0;
+		ioctl(STDIN_FILENO, FIONREAD, &cnt);
+		if (cnt) {
+			if (!arg_quiet)
+				printf("Warning: removing %d bytes from stdin\n", cnt);
+			ioctl(STDIN_FILENO, TCFLSH, TCIFLUSH);
+		}
+	}
+}
+
-- 
cgit v1.2.3-70-g09d2