New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 653466 link

Starred by 1 user
Status: Assigned
Owner:
shchen@chromium.org
Last visit > 30 days ago
Cc:
shchen@chromium.org
dbehr@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 3
Type: Bug



Sign in to add a comment

Ignore input when frecon is used to display images

Project Member Reported by mnissler@chromium.org, Oct 6 2016 
There are a number of cases where we use frecon to display information to the user:

display_boot_message: https://chromium.googlesource.com/chromiumos/platform/assets/+/master/text/display_boot_message#144
recovery/messages.sh: https://chromium.googlesource.com/chromiumos/platform/initramfs/+/master/recovery/messages.sh#249
init/boot-splash.conf: https://chromium.googlesource.com/chromiumos/platform2/+/master/init/boot-splash.conf#62
display_low_battery_alert: https://chromium.googlesource.com/chromiumos/platform2/+/master/init/display_low_battery_alert#43

There are some more occurrences in the factory code, but I don't think we care about these from the UX and security perspective :-D

Currently, frecon will accept keyboard input even when used in the contexts listed above, echoing back the characters on the terminal. This is (1) a slight UX issue and (2) a slight security concern since we're parsing untrusted user input where there is no reason to do so while we're running as root. Note that this is likely hard to exploit since there's no shell attached (but if you have a bug in libpng, that'd make a nice exploit via the image escape sequences! definitely risky for recovery). Since we aren't actually interested in processing user input, it's preferable to just avoid the risk entirely.

We should likely add a flag to frecon that tells it to ignore user input. Frecon code can just skip initializing its input subsystem when the flag is present.

Then, we should update all the contexts mentioned above to pass the flag.

Comment 1 by dbehr@google.com, Nov 11 2016 

We still need to be able to switch between VTs, particularly in factory, so we cannot completely ignore user input.
And I think some scenarios have option to wait for user input/confirmation?

Comment 2 by dbehr@chromium.org, May 1 2017 

Shelley, now that we have escapes to enable/disable input added here https://chromium-review.googlesource.com/#/c/447825/ can you use them for this purpose?

Comment 3 by shchen@chromium.org, May 3 2017

Owner: shchen@chromium.org
Sure.  I'm in the middle of fizz bringup right now, but I should be able to look at the changes that need to be done in the recovery startup scripts in a little bit.
Project Member

Comment 4 by sheriffbot@chromium.org, May 4 2018

Labels: Hotlist-Recharge-Cold
Status: Untriaged (was: Available)
This issue has been Available for over a year. If it's no longer important or seems unlikely to be fixed, please consider closing it out. If it is important, please re-triage the issue.

Sorry for the inconvenience if the bug really should have been left as Available.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Comment 5 by benhenry@chromium.org, Aug 3

Status: Assigned (was: Untriaged)
This bug has an owner, thus, it's been triaged. Changing status to "assigned".

Sign in to add a comment