TIOCSTI hardening

In 1985, John Bruner sent an email to the Security Digest mailing list, about TIOCSTI-related security issues. Four years later, Ken Stauffer and Theo de Raadt wrote a famous exploit for SunOS based on it. In 1997, halflife wrote a Phrack article mentionning how TIOCSTI can be abused on Linux too. In 2012, halfdog wrote a comprehensive article on the topic.

Since June 2015, Android has a tty ioctls allowlist, thanks to Jeffrey Vander Stoep.

In February 2016, spender added a GRKERNSEC_HARDEN_TTY option to grsecurity.

Since the 28^th of June 2017, thanks to Theo de Raadt, TIOCSTI is a no-op in OpenBSD.

In October 2022, Kees Cook added a compilation time option as well as a sysctl to disabled TIOCSTI support in the Linux kernel.

Unfortunately, there are still trivial bypasses in certain conditions, like dd86f6ffd0ef73998eaab40b74b83ea5 in tty.

In March 2023, Shawn Webb made calls to the TIOCSTI ioctl fail with EPERM when the hardening.harden_tty sysctl is set, on HardenedBSD.

In August 2023, TIOCLINUX SETSEL/PASTESEL/SELLOADLUT were patched by Hanno Böck, and landed in Linux 6.7 in early 2024. To exercise these IOCTL commands in 2024 CAP_SYS_ADMIN is needed.

This is a low-hanging hole that should be now closed in every UNIX.