From owner-freebsd-security  Fri Dec  8  9:22:55 2000
From owner-freebsd-security@FreeBSD.ORG  Fri Dec  8 09:22:51 2000
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mailman.zeta.org.au (mailman.zeta.org.au [203.26.10.16])
	by hub.freebsd.org (Postfix) with ESMTP id 5AB7E37B400
	for <freebsd-security@FreeBSD.ORG>; Fri,  8 Dec 2000 09:22:49 -0800 (PST)
Received: from bde.zeta.org.au (bde.zeta.org.au [203.2.228.102])
	by mailman.zeta.org.au (8.8.7/8.8.7) with ESMTP id EAA27646;
	Sat, 9 Dec 2000 04:22:36 +1100
Date: Sat, 9 Dec 2000 04:22:19 +1100 (EST)
From: Bruce Evans <bde@zeta.org.au>
X-Sender: bde@besplex.bde.org
To: Joerg Wunsch <joerg_wunsch@interface-business.de>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: Please review a change to lock(1)
In-Reply-To: <20001207115835.V4709@B7173150.DeutschePost.de>
Message-ID: <Pine.BSF.4.21.0012090406120.9818-100000@besplex.bde.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Thu, 7 Dec 2000, J Wunsch wrote:

> i think everybody's happy when seeing those dead processes running
> around forever, eating up all CPU time -- since they are too stupid to
> notice the tty they're trying to read from is gone.  lock(1) is one of
> those culprits, as i just noticed.  You can easily prove this by

> ...  Please review the following, and make a better
> suggestion if you think i didn't honor all security-related issues
> here.  Btw., after the tty is gone, fread() returns NULL but ferror()
> doesn't return 1 (!),

This is correct.  read(2) on a dead terminal should return 0/no-error
(i.e., EOF).

and isatty(fileno(stdin)) also still yields 1.

I think isatty() should work.  isatty() is implemented using tcgetattr()
which is implented using an ioctl.  I'm not sure what dead_ioctl() does.

> So the only way i found was to justify based on errno.

> Index: lock.c
> ===================================================================
> RCS file: /home/ncvs/src/usr.bin/lock/lock.c,v
> retrieving revision 1.8
> diff -u -r1.8 lock.c
> --- lock.c	1999/10/12 13:53:30	1.8
> +++ lock.c	2000/12/07 10:49:28
> @@ -61,6 +61,7 @@
>  #include <sys/time.h>
>  #include <sys/signal.h>
>  #include <err.h>
> +#include <errno.h>
>  #include <ctype.h>
>  #include <pwd.h>
>  #include <sgtty.h>
> @@ -189,7 +190,11 @@
>  
>  	for (;;) {
>  		(void)printf("Key: ");
> +		errno = 0;
>  		if (!fgets(s, sizeof(s), stdin)) {
> +			if (errno == EIO)
> +				/* Our terminal is gone; good-bye. */
> +				exit(1);
>  			clearerr(stdin);
>  			hi();
>  			continue;
> 

This should have no effect :-).  It can only work if the VISTTY test in
dead_read() is broken again.

Bruce



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message