cve/published/2025/CVE-2025-37814.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.2.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2025-37814: tty: Require CAP_SYS_ADMIN for all usages of TIOCL_SELMOUSEREPORT

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 tty: Require CAP_SYS_ADMIN for all usages of TIOCL_SELMOUSEREPORT

 This requirement was overeagerly loosened in commit 2f83e38a095f
 ("tty: Permit some TIOCL_SETSEL modes without CAP_SYS_ADMIN"), but as
 it turns out,

   (1) the logic I implemented there was inconsistent (apologies!),

   (2) TIOCL_SELMOUSEREPORT might actually be a small security risk
       after all, and

   (3) TIOCL_SELMOUSEREPORT is only meant to be used by the mouse
       daemon (GPM or Consolation), which runs as CAP_SYS_ADMIN
       already.

 In more detail:

 1. The previous patch has inconsistent logic:

    In commit 2f83e38a095f ("tty: Permit some TIOCL_SETSEL modes
    without CAP_SYS_ADMIN"), we checked for sel_mode ==
    TIOCL_SELMOUSEREPORT, but overlooked that the lower four bits of
    this "mode" parameter were actually used as an additional way to
    pass an argument.  So the patch did actually still require
    CAP_SYS_ADMIN, if any of the mouse button bits are set, but did not
    require it if none of the mouse buttons bits are set.

    This logic is inconsistent and was not intentional.  We should have
    the same policies for using TIOCL_SELMOUSEREPORT independent of the
    value of the "hidden" mouse button argument.

    I sent a separate documentation patch to the man page list with
    more details on TIOCL_SELMOUSEREPORT:
    https://lore.kernel.org/all/20250223091342.35523-2-gnoack3000@gmail.com/

 2. TIOCL_SELMOUSEREPORT is indeed a potential security risk which can
    let an attacker simulate "keyboard" input to command line
    applications on the same terminal, like TIOCSTI and some other
    TIOCLINUX "selection mode" IOCTLs.

    By enabling mouse reporting on a terminal and then injecting mouse
    reports through TIOCL_SELMOUSEREPORT, an attacker can simulate
    mouse movements on the same terminal, similar to the TIOCSTI
    keystroke injection attacks that were previously possible with
    TIOCSTI and other TIOCL_SETSEL selection modes.

    Many programs (including libreadline/bash) are then prone to
    misinterpret these mouse reports as normal keyboard input because
    they do not expect input in the X11 mouse protocol form.  The
    attacker does not have complete control over the escape sequence,
    but they can at least control the values of two consecutive bytes
    in the binary mouse reporting escape sequence.

    I went into more detail on that in the discussion at
    https://lore.kernel.org/all/20250221.0a947528d8f3@gnoack.org/

    It is not equally trivial to simulate arbitrary keystrokes as it
    was with TIOCSTI (commit 83efeeeb3d04 ("tty: Allow TIOCSTI to be
    disabled")), but the general mechanism is there, and together with
    the small number of existing legit use cases (see below), it would
    be better to revert back to requiring CAP_SYS_ADMIN for
    TIOCL_SELMOUSEREPORT, as it was already the case before
    commit 2f83e38a095f ("tty: Permit some TIOCL_SETSEL modes without
    CAP_SYS_ADMIN").

 3. TIOCL_SELMOUSEREPORT is only used by the mouse daemons (GPM or
    Consolation), and they are the only legit use case:

    To quote console_codes(4):

      The mouse tracking facility is intended to return
      xterm(1)-compatible mouse status reports.  Because the console
      driver has no way to know the device or type of the mouse, these
      reports are returned in the console input stream only when the
      virtual terminal driver receives a mouse update ioctl.  These
      ioctls must be generated by a mouse-aware user-mode application
      such as the gpm(8) daemon.

    Jared Finder has also confirmed in
    https://lore.kernel.org/all/491f3df9de6593df8e70dbe77614b026@finder.org/
    that Emacs does not call TIOCL_SELMOUSEREPORT directly, and it
    would be difficult to find good reasons for doing that, given that
    it would interfere with the reports that GPM is sending.

    More information on the interaction between GPM, terminals and the
    kernel with additional pointers is also available in this patch:
    https://lore.kernel.org/all/a773e48920aa104a65073671effbdee665c105fc.1603963593.git.tammo.block@gmail.com/

    For background on who else uses TIOCL_SELMOUSEREPORT: Debian Code
    search finds one page of results, the only two known callers are
    the two mouse daemons GPM and Consolation.  (GPM does not show up
    in the search results because it uses literal numbers to refer to
    TIOCLINUX-related enums.  I looked through GPM by hand instead.
    TIOCL_SELMOUSEREPORT is also not used from libgpm.)
    https://codesearch.debian.net/search?q=TIOCL_SELMOUSEREPORT

 The Linux kernel CVE team has assigned CVE-2025-37814 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 6.12.14 with commit e46d91ca504d69ae3d09c120b162a238b8013890 and fixed in 6.12.26 with commit 6f021bc0083b96125fdbed6a60d7b4396c4d6dac
 	Issue introduced in 6.14 with commit 2f83e38a095f8bf7c6029883d894668b03b9bd93 and fixed in 6.14.5 with commit 9b50c9c97db953de756a39af83d4be4d7f618aa6
 	Issue introduced in 6.14 with commit 2f83e38a095f8bf7c6029883d894668b03b9bd93 and fixed in 6.15 with commit ee6a44da3c87cf64d67dd02be8c0127a5bf56175
 	Issue introduced in 6.13.3 with commit 2714ffdbb79b48dda03334a01af90fb024f39047

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2025-37814
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/tty/vt/selection.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/6f021bc0083b96125fdbed6a60d7b4396c4d6dac
 	https://git.kernel.org/stable/c/9b50c9c97db953de756a39af83d4be4d7f618aa6
 	https://git.kernel.org/stable/c/ee6a44da3c87cf64d67dd02be8c0127a5bf56175
	From bippy-1.2.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2025-37814: tty: Require CAP_SYS_ADMIN for all usages of TIOCL_SELMOUSEREPORT

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	tty: Require CAP_SYS_ADMIN for all usages of TIOCL_SELMOUSEREPORT

	This requirement was overeagerly loosened in commit 2f83e38a095f
	("tty: Permit some TIOCL_SETSEL modes without CAP_SYS_ADMIN"), but as
	it turns out,

	(1) the logic I implemented there was inconsistent (apologies!),

	(2) TIOCL_SELMOUSEREPORT might actually be a small security risk
	after all, and

	(3) TIOCL_SELMOUSEREPORT is only meant to be used by the mouse
	daemon (GPM or Consolation), which runs as CAP_SYS_ADMIN
	already.

	In more detail:

	1. The previous patch has inconsistent logic:

	In commit 2f83e38a095f ("tty: Permit some TIOCL_SETSEL modes
	without CAP_SYS_ADMIN"), we checked for sel_mode ==
	TIOCL_SELMOUSEREPORT, but overlooked that the lower four bits of
	this "mode" parameter were actually used as an additional way to
	pass an argument. So the patch did actually still require
	CAP_SYS_ADMIN, if any of the mouse button bits are set, but did not
	require it if none of the mouse buttons bits are set.

	This logic is inconsistent and was not intentional. We should have
	the same policies for using TIOCL_SELMOUSEREPORT independent of the
	value of the "hidden" mouse button argument.

	I sent a separate documentation patch to the man page list with
	more details on TIOCL_SELMOUSEREPORT:
	https://lore.kernel.org/all/20250223091342.35523-2-gnoack3000@gmail.com/

	2. TIOCL_SELMOUSEREPORT is indeed a potential security risk which can
	let an attacker simulate "keyboard" input to command line
	applications on the same terminal, like TIOCSTI and some other
	TIOCLINUX "selection mode" IOCTLs.

	By enabling mouse reporting on a terminal and then injecting mouse
	reports through TIOCL_SELMOUSEREPORT, an attacker can simulate
	mouse movements on the same terminal, similar to the TIOCSTI
	keystroke injection attacks that were previously possible with
	TIOCSTI and other TIOCL_SETSEL selection modes.

	Many programs (including libreadline/bash) are then prone to
	misinterpret these mouse reports as normal keyboard input because
	they do not expect input in the X11 mouse protocol form. The
	attacker does not have complete control over the escape sequence,
	but they can at least control the values of two consecutive bytes
	in the binary mouse reporting escape sequence.

	I went into more detail on that in the discussion at
	https://lore.kernel.org/all/20250221.0a947528d8f3@gnoack.org/

	It is not equally trivial to simulate arbitrary keystrokes as it
	was with TIOCSTI (commit 83efeeeb3d04 ("tty: Allow TIOCSTI to be
	disabled")), but the general mechanism is there, and together with
	the small number of existing legit use cases (see below), it would
	be better to revert back to requiring CAP_SYS_ADMIN for
	TIOCL_SELMOUSEREPORT, as it was already the case before
	commit 2f83e38a095f ("tty: Permit some TIOCL_SETSEL modes without
	CAP_SYS_ADMIN").

	3. TIOCL_SELMOUSEREPORT is only used by the mouse daemons (GPM or
	Consolation), and they are the only legit use case:

	To quote console_codes(4):

	The mouse tracking facility is intended to return
	xterm(1)-compatible mouse status reports. Because the console
	driver has no way to know the device or type of the mouse, these
	reports are returned in the console input stream only when the
	virtual terminal driver receives a mouse update ioctl. These
	ioctls must be generated by a mouse-aware user-mode application
	such as the gpm(8) daemon.

	Jared Finder has also confirmed in
	https://lore.kernel.org/all/491f3df9de6593df8e70dbe77614b026@finder.org/
	that Emacs does not call TIOCL_SELMOUSEREPORT directly, and it
	would be difficult to find good reasons for doing that, given that
	it would interfere with the reports that GPM is sending.

	More information on the interaction between GPM, terminals and the
	kernel with additional pointers is also available in this patch:
	https://lore.kernel.org/all/a773e48920aa104a65073671effbdee665c105fc.1603963593.git.tammo.block@gmail.com/

	For background on who else uses TIOCL_SELMOUSEREPORT: Debian Code
	search finds one page of results, the only two known callers are
	the two mouse daemons GPM and Consolation. (GPM does not show up
	in the search results because it uses literal numbers to refer to
	TIOCLINUX-related enums. I looked through GPM by hand instead.
	TIOCL_SELMOUSEREPORT is also not used from libgpm.)
	https://codesearch.debian.net/search?q=TIOCL_SELMOUSEREPORT

	The Linux kernel CVE team has assigned CVE-2025-37814 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 6.12.14 with commit e46d91ca504d69ae3d09c120b162a238b8013890 and fixed in 6.12.26 with commit 6f021bc0083b96125fdbed6a60d7b4396c4d6dac
	Issue introduced in 6.14 with commit 2f83e38a095f8bf7c6029883d894668b03b9bd93 and fixed in 6.14.5 with commit 9b50c9c97db953de756a39af83d4be4d7f618aa6
	Issue introduced in 6.14 with commit 2f83e38a095f8bf7c6029883d894668b03b9bd93 and fixed in 6.15 with commit ee6a44da3c87cf64d67dd02be8c0127a5bf56175
	Issue introduced in 6.13.3 with commit 2714ffdbb79b48dda03334a01af90fb024f39047

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-37814
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/tty/vt/selection.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/6f021bc0083b96125fdbed6a60d7b4396c4d6dac
	https://git.kernel.org/stable/c/9b50c9c97db953de756a39af83d4be4d7f618aa6
	https://git.kernel.org/stable/c/ee6a44da3c87cf64d67dd02be8c0127a5bf56175