Bug 12076 (TiCPU) - Security issue in DebugFS part of ath5k
Summary: Security issue in DebugFS part of ath5k
Status: CLOSED CODE_FIX
Alias: TiCPU
Product: Networking
Classification: Unclassified
Component: Wireless (show other bugs)
Hardware: All Linux
: P1 high
Assignee: Luis Chamberlain
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2008-11-21 18:40 UTC by Jérôme Poulin
Modified: 2008-12-01 15:12 UTC (History)
2 users (show)

See Also:
Kernel Version: 2.6.28
Subsystem:
Regression: ---
Bisected commit-id:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Jérôme Poulin 2008-11-21 18:40:34 UTC 
When DebugFS is activated in the kernel, some distro auto-mount it in /sys/kernel/debug and permissions to reset the card, set debug and other stuff are wide open to any users, reset being set 0222 allows anyone to reset the card anytime (and on my computer it crashes the whole thing.)

I would suggest removing any write access to users for all the files created un ath5k/debug.c and even read permissions to user and group to be more secure.
Comment 1 Cheng Renquan 2008-11-21 19:32:55 UTC 
I've made a patch to fix it, it's very simple to fix it:

http://marc.info/?l=linux-kernel&m=122732420108666&w=2

but I dont' have that hardware, please test it if you have it.
Comment 2 Jérôme Poulin 2008-11-23 08:41:11 UTC 
I had a similar patch I forgot to attach I submitted to the ath5k tracker but this one is even better because it uses S_I* constants, here is the result of the test;

Before:
p4 sys # ls /sys/kernel/debug/ath5k/phy0/ -l
total 0
-rw-rw-rw- 1 root root 0 2008-11-23 10:41 beacon
-rw-rw-rw- 1 root root 0 2008-11-23 10:41 debug
-r--r--r-- 1 root root 0 2008-11-23 10:41 registers
--w--w--w- 1 root root 0 2008-11-23 10:41 reset
-rw-rw-rw- 1 root root 0 2008-11-23 10:41 tsf

Patch...
p4 sys # cd /usr/src/linux
p4 linux # patch -p1 -i ../linux-2.6.27-gentoo-r1/perm.patch 
patching file drivers/net/wireless/ath5k/debug.c
p4 linux # make modules
...
p4 linux # rmmod ath5k
p4 linux # insmod drivers/net/wireless/ath5k/ath5k.ko

After:
p4 linux # ls /sys/kernel/debug/ath5k/phy1/ -l
total 0
-rw-r--r-- 1 root root 0 2008-11-23 11:39 beacon
-rw-r--r-- 1 root root 0 2008-11-23 11:39 debug
-r--r--r-- 1 root root 0 2008-11-23 11:39 registers
--w------- 1 root root 0 2008-11-23 11:39 reset
-rw-r--r-- 1 root root 0 2008-11-23 11:39 tsf

Seems perfect! Thanks.
Comment 3 Luis Chamberlain 2008-12-01 15:12:00 UTC 
This is fixed by:

commit 66bc446d4fd057310cc6310721c33767e7c0b408
Author: Cheng Renquan <crquan@gmail.com>
Date:   Sat Nov 22 11:22:49 2008 +0800

    ath5k: fix Security issue in DebugFS part of ath5k
    
    http://bugzilla.kernel.org/show_bug.cgi?id=12076
    
    Remove any write access to groups and others, only keep write permission
    to its owner, usually only root user.
    
    Reported-by: Jérôme Poulin <jeromepoulin@gmail.com>
    Signed-off-by: Cheng Renquan <crquan@gmail.com>
    Signed-off-by: John W. Linville <linville@tuxdriver.com>
Comment 4 Luis Chamberlain 2008-12-01 15:12:17 UTC 
It just need to be propagated to the other kernels.
Note You need to log in before you can comment on or make changes to this bug.