LinuxLists.cc - Clean console safely

2011-04-13 14:33:44

Subject: Clean console safely

Hello,

I've posted following patch to linux-kernel already and Alan Cox liked it
(http://thread.gmane.org/gmane.linux.kernel/1117336). I'd like to ask you,
a TTY maintainer, to apply it to next Linux tree if it's acceptable.

-- Petr

2011-04-13 14:33:55

by Petr Písař

[permalink] [raw]

Subject: [PATCH] Clean console safely

Traditional \E[2J sequence erases console display but scroll-back
buffer and underlying device (frame) buffer keep data that can be
accessed by scrolling console back.

This patch introduce new \E[J parameter 3 that allows to scramble
scroll-back buffer explicitly. Session locking programs (screen,
vlock) can use it to prevent attacker to browse locked console
history.
---
drivers/tty/vt/vt.c | 6 ++++++
1 files changed, 6 insertions(+), 0 deletions(-)

diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c
index 4bea1ef..fe96a1f 100644
--- a/drivers/tty/vt/vt.c
+++ b/drivers/tty/vt/vt.c
@@ -1197,6 +1197,12 @@ static void csi_J(struct vc_data *vc, int vpar)
vc->vc_x + 1);
}
break;
+ case 3: /* erase scroll-back buffer (and whole display) */
+ scr_memsetw(vc->vc_screenbuf, vc->vc_video_erase_char,
+ vc->vc_screenbuf_size >> 1);
+ set_origin(vc);
+ if (CON_IS_VISIBLE(vc))
+ update_screen(vc);
case 2: /* erase whole display */
count = vc->vc_cols * vc->vc_rows;
start = (unsigned short *)vc->vc_origin;
--
1.7.4.4

2011-04-13 14:43:45

by Artem Bityutskiy

[permalink] [raw]

Subject: Re: [PATCH] Clean console safely

On Wed, 2011-04-13 at 16:32 +0200, Petr Písař wrote:
> Traditional \E[2J sequence erases console display but scroll-back
> buffer and underlying device (frame) buffer keep data that can be
> accessed by scrolling console back.
>
> This patch introduce new \E[J parameter 3 that allows to scramble
> scroll-back buffer explicitly. Session locking programs (screen,
> vlock) can use it to prevent attacker to browse locked console
> history.
> ---
> drivers/tty/vt/vt.c | 6 ++++++
> 1 files changed, 6 insertions(+), 0 deletions(-)

You forgot to "Signed-off-by:" it.

--
Best Regards,
Artem Bityutskiy (Артём Битюцкий)

2011-04-13 14:55:37

by Petr Písař

[permalink] [raw]

Subject: [PATCH] Clean console safely

Traditional \E[2J sequence erases console display but scroll-back
buffer and underlying device (frame) buffer keep data that can be
accessed by scrolling console back.

This patch introduce new \E[J parameter 3 that allows to scramble
scroll-back buffer explicitly. Session locking programs (screen,
vlock) can use it to prevent attacker to browse locked console
history.

Signed-off-by: Petr Písař <[email protected]>
---
drivers/tty/vt/vt.c | 6 ++++++
1 files changed, 6 insertions(+), 0 deletions(-)

diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c
index 4bea1ef..fe96a1f 100644
--- a/drivers/tty/vt/vt.c
+++ b/drivers/tty/vt/vt.c
@@ -1197,6 +1197,12 @@ static void csi_J(struct vc_data *vc, int vpar)
vc->vc_x + 1);
}
break;
+ case 3: /* erase scroll-back buffer (and whole display) */
+ scr_memsetw(vc->vc_screenbuf, vc->vc_video_erase_char,
+ vc->vc_screenbuf_size >> 1);
+ set_origin(vc);
+ if (CON_IS_VISIBLE(vc))
+ update_screen(vc);
case 2: /* erase whole display */
count = vc->vc_cols * vc->vc_rows;
start = (unsigned short *)vc->vc_origin;
--
1.7.4.4

2011-04-13 15:00:11

by Greg KH

[permalink] [raw]

Subject: Re: Clean console safely

On Wed, Apr 13, 2011 at 04:32:49PM +0200, Petr Písař wrote:
> Hello,
>
> I've posted following patch to linux-kernel already and Alan Cox liked it
> (http://thread.gmane.org/gmane.linux.kernel/1117336). I'd like to ask you,
> a TTY maintainer, to apply it to next Linux tree if it's acceptable.

Ok, but care to resend it with a signed-off-by line so that I can apply
it?

thanks,

greg k-h

2011-04-13 15:09:04

by Greg KH

[permalink] [raw]

Subject: Re: [PATCH] Clean console safely

On Wed, Apr 13, 2011 at 04:54:33PM +0200, Petr Písař wrote:
> Traditional \E[2J sequence erases console display but scroll-back
> buffer and underlying device (frame) buffer keep data that can be
> accessed by scrolling console back.
>
> This patch introduce new \E[J parameter 3 that allows to scramble
> scroll-back buffer explicitly. Session locking programs (screen,
> vlock) can use it to prevent attacker to browse locked console
> history.

Is this also documented somewhere so that people know about it?

thanks,

greg k-h

2011-04-13 15:13:28

by Chris Ball

[permalink] [raw]

Subject: Re: [PATCH] Clean console safely

Hi,

On Wed, Apr 13 2011, Petr Písař wrote:
> Traditional \E[2J sequence erases console display but scroll-back
> buffer and underlying device (frame) buffer keep data that can be
> accessed by scrolling console back.
>
> This patch introduce new \E[J parameter 3 that allows to scramble
> scroll-back buffer explicitly. Session locking programs (screen,
> vlock) can use it to prevent attacker to browse locked console
> history.
>
> Signed-off-by: Petr Písař <[email protected]>
> ---
> drivers/tty/vt/vt.c | 6 ++++++
> 1 files changed, 6 insertions(+), 0 deletions(-)
>
> diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c
> index 4bea1ef..fe96a1f 100644
> --- a/drivers/tty/vt/vt.c
> +++ b/drivers/tty/vt/vt.c
> @@ -1197,6 +1197,12 @@ static void csi_J(struct vc_data *vc, int vpar)
> vc->vc_x + 1);
> }
> break;
> + case 3: /* erase scroll-back buffer (and whole display) */
> + scr_memsetw(vc->vc_screenbuf, vc->vc_video_erase_char,
> + vc->vc_screenbuf_size >> 1);
> + set_origin(vc);
> + if (CON_IS_VISIBLE(vc))
> + update_screen(vc);
> case 2: /* erase whole display */
> count = vc->vc_cols * vc->vc_rows;
> start = (unsigned short *)vc->vc_origin;

Nitpick: the cases were ordered before -- 3 should go after 2.

- Chris.
--
Chris Ball <[email protected]> <http://printf.net/>
One Laptop Per Child

2011-04-13 15:28:50

by Petr Písař

[permalink] [raw]

Subject: Re: [PATCH] Clean console safely

On Wed, Apr 13, 2011 at 11:18:04AM -0400, Chris Ball wrote:
>
> On Wed, Apr 13 2011, Petr Písař wrote:
> > Traditional \E[2J sequence erases console display but scroll-back
> > buffer and underlying device (frame) buffer keep data that can be
> > accessed by scrolling console back.
> >
> > This patch introduce new \E[J parameter 3 that allows to scramble
> > scroll-back buffer explicitly. Session locking programs (screen,
> > vlock) can use it to prevent attacker to browse locked console
> > history.
> >
> > Signed-off-by: Petr Písař <[email protected]>
> > ---
> > drivers/tty/vt/vt.c | 6 ++++++
> > 1 files changed, 6 insertions(+), 0 deletions(-)
> >
> > diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c
> > index 4bea1ef..fe96a1f 100644
> > --- a/drivers/tty/vt/vt.c
> > +++ b/drivers/tty/vt/vt.c
> > @@ -1197,6 +1197,12 @@ static void csi_J(struct vc_data *vc, int vpar)
> > vc->vc_x + 1);
> > }
> > break;
> > + case 3: /* erase scroll-back buffer (and whole display) */
> > + scr_memsetw(vc->vc_screenbuf, vc->vc_video_erase_char,
> > + vc->vc_screenbuf_size >> 1);
> > + set_origin(vc);
> > + if (CON_IS_VISIBLE(vc))
> > + update_screen(vc);
> > case 2: /* erase whole display */
> > count = vc->vc_cols * vc->vc_rows;
> > start = (unsigned short *)vc->vc_origin;
>
> Nitpick: the cases were ordered before -- 3 should go after 2.
>
This is on purpose to continue with code for case 2 as it prepares variables
for cleaning visible part of display after the switch block.

-- Petr

2011-04-13 15:32:41

by Alexander Stein

[permalink] [raw]

Subject: Re: [PATCH] Clean console safely

Hi,

On Wednesday 13 April 2011, 17:18:04 Chris Ball wrote:
> On Wed, Apr 13 2011, Petr Písař wrote:
> > Traditional \E[2J sequence erases console display but scroll-back
> > buffer and underlying device (frame) buffer keep data that can be
> > accessed by scrolling console back.
> >
> > This patch introduce new \E[J parameter 3 that allows to scramble
> > scroll-back buffer explicitly. Session locking programs (screen,
> > vlock) can use it to prevent attacker to browse locked console
> > history.
> >
> > Signed-off-by: Petr Písař <[email protected]>
> > ---
> >
> > drivers/tty/vt/vt.c | 6 ++++++
> > 1 files changed, 6 insertions(+), 0 deletions(-)
> >
> > diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c
> > index 4bea1ef..fe96a1f 100644
> > --- a/drivers/tty/vt/vt.c
> > +++ b/drivers/tty/vt/vt.c
> > @@ -1197,6 +1197,12 @@ static void csi_J(struct vc_data *vc, int vpar)
> >
> > vc->vc_x + 1);
> >
> > }
> > break;
> >
> > + case 3: /* erase scroll-back buffer (and whole display) */
> > + scr_memsetw(vc->vc_screenbuf, vc->vc_video_erase_char,
> > + vc->vc_screenbuf_size >> 1);
> > + set_origin(vc);
> > + if (CON_IS_VISIBLE(vc))
> > + update_screen(vc);
> >
> > case 2: /* erase whole display */
> >
> > count = vc->vc_cols * vc->vc_rows;
> > start = (unsigned short *)vc->vc_origin;
>
> Nitpick: the cases were ordered before -- 3 should go after 2.

Not if the fall-through is intended.

Alexander

2011-04-13 15:34:15

by Petr Písař

[permalink] [raw]

Subject: Re: [PATCH] Clean console safely

On Wed, Apr 13, 2011 at 08:01:13AM -0700, Greg KH wrote:
> On Wed, Apr 13, 2011 at 04:54:33PM +0200, Petr Písař wrote:
> > Traditional \E[2J sequence erases console display but scroll-back
> > buffer and underlying device (frame) buffer keep data that can be
> > accessed by scrolling console back.
> >
> > This patch introduce new \E[J parameter 3 that allows to scramble
> > scroll-back buffer explicitly. Session locking programs (screen,
> > vlock) can use it to prevent attacker to browse locked console
> > history.
>
> Is this also documented somewhere so that people know about it?
>
>
Not yet as this is fresh feature. I'd like to put few words into
console_codes(4). I guess manual sources are not part of Linux.

-- Petr

2011-04-13 15:40:04

by Chris Ball

[permalink] [raw]

Subject: Re: [PATCH] Clean console safely

Hi,

On Wed, Apr 13 2011, Petr Pisar wrote:
> On Wed, Apr 13, 2011 at 11:18:04AM -0400, Chris Ball wrote:
>>
>> On Wed, Apr 13 2011, Petr Písař wrote:
>> > Traditional \E[2J sequence erases console display but scroll-back
>> > buffer and underlying device (frame) buffer keep data that can be
>> > accessed by scrolling console back.
>> >
>> > This patch introduce new \E[J parameter 3 that allows to scramble
>> > scroll-back buffer explicitly. Session locking programs (screen,
>> > vlock) can use it to prevent attacker to browse locked console
>> > history.
>> >
>> > Signed-off-by: Petr Písař <[email protected]>
>> > ---
>> > drivers/tty/vt/vt.c | 6 ++++++
>> > 1 files changed, 6 insertions(+), 0 deletions(-)
>> >
>> > diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c
>> > index 4bea1ef..fe96a1f 100644
>> > --- a/drivers/tty/vt/vt.c
>> > +++ b/drivers/tty/vt/vt.c
>> > @@ -1197,6 +1197,12 @@ static void csi_J(struct vc_data *vc, int vpar)
>> > vc->vc_x + 1);
>> > }
>> > break;
>> > + case 3: /* erase scroll-back buffer (and whole display) */
>> > + scr_memsetw(vc->vc_screenbuf, vc->vc_video_erase_char,
>> > + vc->vc_screenbuf_size >> 1);
>> > + set_origin(vc);
>> > + if (CON_IS_VISIBLE(vc))
>> > + update_screen(vc);
>> > case 2: /* erase whole display */
>> > count = vc->vc_cols * vc->vc_rows;
>> > start = (unsigned short *)vc->vc_origin;
>>
>> Nitpick: the cases were ordered before -- 3 should go after 2.
>>
> This is on purpose to continue with code for case 2 as it prepares variables
> for cleaning visible part of display after the switch block.

Oops, sorry; I saw an imaginary break statement there.

- Chris.
--
Chris Ball <[email protected]> <http://printf.net/>
One Laptop Per Child

2011-04-13 15:46:22

by Greg KH

[permalink] [raw]

Subject: Re: [PATCH] Clean console safely

On Wed, Apr 13, 2011 at 05:33:59PM +0200, Petr Pisar wrote:
> On Wed, Apr 13, 2011 at 08:01:13AM -0700, Greg KH wrote:
> > On Wed, Apr 13, 2011 at 04:54:33PM +0200, Petr Písař wrote:
> > > Traditional \E[2J sequence erases console display but scroll-back
> > > buffer and underlying device (frame) buffer keep data that can be
> > > accessed by scrolling console back.
> > >
> > > This patch introduce new \E[J parameter 3 that allows to scramble
> > > scroll-back buffer explicitly. Session locking programs (screen,
> > > vlock) can use it to prevent attacker to browse locked console
> > > history.
> >
> > Is this also documented somewhere so that people know about it?
> >
> >
> Not yet as this is fresh feature. I'd like to put few words into
> console_codes(4). I guess manual sources are not part of Linux.

No they are not, they have their own maintainer and release schedule.

thanks,

greg k-h

2011-04-14 00:24:09

by Daniel Taylor

[permalink] [raw]

Subject: RE: [PATCH] Clean console safely

> -----Original Message-----
> From: [email protected]
> [mailto:[email protected]] On Behalf Of Chris Ball
> Sent: Wednesday, April 13, 2011 8:45 AM
> To: Greg Kroah-Hartman
> Cc: Alan Cox; [email protected]; Artem Bityutskiy
> Subject: Re: [PATCH] Clean console safely
>
> Hi,
>
> On Wed, Apr 13 2011, Petr Pisar wrote:
> > On Wed, Apr 13, 2011 at 11:18:04AM -0400, Chris Ball wrote:
> >>
> >> On Wed, Apr 13 2011, Petr P?sa? wrote:
> >> > Traditional \E[2J sequence erases console display but scroll-back
> >> > buffer and underlying device (frame) buffer keep data that can be
> >> > accessed by scrolling console back.
> >> >
> >> > This patch introduce new \E[J parameter 3 that allows to scramble
> >> > scroll-back buffer explicitly. Session locking programs (screen,
> >> > vlock) can use it to prevent attacker to browse locked console
> >> > history.
> >> >
> >> > Signed-off-by: Petr P?sa? <[email protected]>
> >> > ---
> >> > drivers/tty/vt/vt.c | 6 ++++++
> >> > 1 files changed, 6 insertions(+), 0 deletions(-)
> >> >
> >> > diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c
> >> > index 4bea1ef..fe96a1f 100644
> >> > --- a/drivers/tty/vt/vt.c
> >> > +++ b/drivers/tty/vt/vt.c
> >> > @@ -1197,6 +1197,12 @@ static void csi_J(struct vc_data
> *vc, int vpar)
> >> > vc->vc_x + 1);
> >> > }
> >> > break;
> >> > + case 3: /* erase scroll-back buffer
> (and whole display) */
> >> > + scr_memsetw(vc->vc_screenbuf,
> vc->vc_video_erase_char,
> >> > + vc->vc_screenbuf_size >> 1);
> >> > + set_origin(vc);
> >> > + if (CON_IS_VISIBLE(vc))
> >> > + update_screen(vc);
> >> > case 2: /* erase whole display */
> >> > count = vc->vc_cols * vc->vc_rows;
> >> > start = (unsigned short *)vc->vc_origin;
> >>
> >> Nitpick: the cases were ordered before -- 3 should go after 2.
> >>
> > This is on purpose to continue with code for case 2 as it
> prepares variables
> > for cleaning visible part of display after the switch block.
>
> Oops, sorry; I saw an imaginary break statement there.

Shouldn't there be a "/* fall through */", or similar, comment,
or all of the existing ones in the kernel extraneous? Personally,
I prefer to see clearly that the missing "break" is intentional.

>
> - Chris.
> --
> Chris Ball <[email protected]> <http://printf.net/>
> One Laptop Per Child
> --
> To unsubscribe from this list: send the line "unsubscribe
> linux-kernel" in
> the body of a message to [email protected]
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/
>

2011-04-15 08:09:13

by Petr Písař

[permalink] [raw]

Subject: [PATCH] Clean console safely

Traditional \E[2J sequence erases console display but scroll-back
buffer and underlying device (frame) buffer keep data that can be
accessed by scrolling console back.

This patch introduce new \E[J parameter 3 that allows to scramble
scroll-back buffer explicitly. Session locking programs (screen,
vlock) can use it to prevent attacker to browse locked console
history.

Signed-off-by: Petr Písař <[email protected]>
---
drivers/tty/vt/vt.c | 7 +++++++
1 files changed, 7 insertions(+), 0 deletions(-)

diff --git a/drivers/tty/vt/vt.c b/drivers/tty/vt/vt.c
index 4bea1ef..cb661ca 100644
--- a/drivers/tty/vt/vt.c
+++ b/drivers/tty/vt/vt.c
@@ -1197,6 +1197,13 @@ static void csi_J(struct vc_data *vc, int vpar)
vc->vc_x + 1);
}
break;
+ case 3: /* erase scroll-back buffer (and whole display) */
+ scr_memsetw(vc->vc_screenbuf, vc->vc_video_erase_char,
+ vc->vc_screenbuf_size >> 1);
+ set_origin(vc);
+ if (CON_IS_VISIBLE(vc))
+ update_screen(vc);
+ /* fall through */
case 2: /* erase whole display */
count = vc->vc_cols * vc->vc_rows;
start = (unsigned short *)vc->vc_origin;
--
1.7.4.4