From owner-svn-src-all@freebsd.org Sun Jan 24 22:20:14 2016 Return-Path: Delivered-To: svn-src-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id CDB1577C4; Sun, 24 Jan 2016 22:20:14 +0000 (UTC) (envelope-from sobomax@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id AA967FCA; Sun, 24 Jan 2016 22:20:14 +0000 (UTC) (envelope-from sobomax@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u0OMKDtp029918; Sun, 24 Jan 2016 22:20:13 GMT (envelope-from sobomax@FreeBSD.org) Received: (from sobomax@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id u0OMKD5C029917; Sun, 24 Jan 2016 22:20:13 GMT (envelope-from sobomax@FreeBSD.org) Message-Id: <201601242220.u0OMKD5C029917@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: sobomax set sender to sobomax@FreeBSD.org using -f From: Maxim Sobolev Date: Sun, 24 Jan 2016 22:20:13 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r294691 - head/lib/libc/gen X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 24 Jan 2016 22:20:14 -0000 Author: sobomax Date: Sun Jan 24 22:20:13 2016 New Revision: 294691 URL: https://svnweb.freebsd.org/changeset/base/294691 Log: Fix bug in the readpassphrase(3) function, which can be exposed by application closing its stdin (i.e. STDIN_FILENO) prior to calling readpassphrase WITHOUT setting RPP_STDIN. What happens then is that the readpassphrase would open /dev/tty, and since file descriptors are reused, the call would return first unused fd, which is 0 which is also STDIN_FILENO. Then due to the usage of "input != STDIN_FILENO" in the code to do its logic, that would result in noecho flags not set on that file descriptor, which was original issue I've been trying to fix. In addition to that, the readpassphrase() would leak file descriptor on its way out, so fix that one as well. This problem can be tested with: $ ssh-add - < /tmp/myprivate.key The password will not be hidden as it should and ktrace will show: 53326 ssh-add CALL open(0x80142443c,0x100002,0x165f030) 53326 ssh-add NAMI "/dev/tty" 53326 ssh-add RET open 0 53326 ssh-add CALL sigprocmask(SIG_SETMASK,0x802eb1324,0x7fffffffd5e0) 53326 ssh-add RET sigprocmask 0 53326 ssh-add CALL sigaction(SIGALRM,0x7fffffffd630,0x7fffffffd610) Instead of: 57690 ssh-add CALL open(0x80142443c,0x100002,0x165f030) 57690 ssh-add NAMI "/dev/tty" 57690 ssh-add RET open 4 57690 ssh-add CALL ioctl(0x4,TIOCGETA,0x7fffffffd860) 57690 ssh-add RET ioctl 0 57690 ssh-add CALL ioctl(0x4,TIOCSETAF,0x7fffffffd680) 57690 ssh-add RET ioctl 0 57690 ssh-add CALL sigprocmask(SIG_SETMASK,0x802eb1324,0x7fffffffd620) 57690 ssh-add RET sigprocmask 0 57690 ssh-add CALL sigaction(SIGALRM,0x7fffffffd670,0x7fffffffd650) For the case when the key is read from the file. Technically this can also be workaround'ed at the application side by not closing the STDIN_FILENO in the first place, but readpassphrase(3) doesn't need to make any assumptions about that. Plus the file descriptor leak confirms that this is an oversight, rather than a deliberate behaviour. MFC after: 1 week Modified: head/lib/libc/gen/readpassphrase.c Modified: head/lib/libc/gen/readpassphrase.c ============================================================================== --- head/lib/libc/gen/readpassphrase.c Sun Jan 24 22:17:05 2016 (r294690) +++ head/lib/libc/gen/readpassphrase.c Sun Jan 24 22:20:13 2016 (r294691) @@ -46,7 +46,7 @@ char * readpassphrase(const char *prompt, char *buf, size_t bufsiz, int flags) { ssize_t nr; - int input, output, save_errno, i, need_restart; + int input, output, save_errno, i, need_restart, input_is_tty; char ch, *p, *end; struct termios term, oterm; struct sigaction sa, savealrm, saveint, savehup, savequit, saveterm; @@ -68,12 +68,20 @@ restart: * Read and write to /dev/tty if available. If not, read from * stdin and write to stderr unless a tty is required. */ - if ((flags & RPP_STDIN) || - (input = output = _open(_PATH_TTY, O_RDWR | O_CLOEXEC)) == -1) { - if (flags & RPP_REQUIRE_TTY) { - errno = ENOTTY; - return(NULL); + input_is_tty = 0; + if (!(flags & RPP_STDIN)) { + input = output = _open(_PATH_TTY, O_RDWR | O_CLOEXEC); + if (input == -1) { + if (flags & RPP_REQUIRE_TTY) { + errno = ENOTTY; + return(NULL); + } + input = STDIN_FILENO; + output = STDERR_FILENO; + } else { + input_is_tty = 1; } + } else { input = STDIN_FILENO; output = STDERR_FILENO; } @@ -83,7 +91,7 @@ restart: * If we are using a tty but are not the foreground pgrp this will * generate SIGTTOU, so do it *before* installing the signal handlers. */ - if (input != STDIN_FILENO && tcgetattr(input, &oterm) == 0) { + if (input_is_tty && tcgetattr(input, &oterm) == 0) { memcpy(&term, &oterm, sizeof(term)); if (!(flags & RPP_ECHO_ON)) term.c_lflag &= ~(ECHO | ECHONL); @@ -152,7 +160,7 @@ restart: (void)__libc_sigaction(SIGTSTP, &savetstp, NULL); (void)__libc_sigaction(SIGTTIN, &savettin, NULL); (void)__libc_sigaction(SIGTTOU, &savettou, NULL); - if (input != STDIN_FILENO) + if (input_is_tty) (void)_close(input); /*