Bug 12076 (TiCPU)

Summary: Security issue in DebugFS part of ath5k
Product: Networking Reporter: Jérôme Poulin (jeromepoulin)
Component: WirelessAssignee: Luis Chamberlain (mcgrof)
Status: CLOSED CODE_FIX    
Severity: high CC: crquan, mcgrof
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 2.6.28 Subsystem:
Regression: --- Bisected commit-id:

Description Jérôme Poulin 2008-11-21 18:40:34 UTC 
When DebugFS is activated in the kernel, some distro auto-mount it in /sys/kernel/debug and permissions to reset the card, set debug and other stuff are wide open to any users, reset being set 0222 allows anyone to reset the card anytime (and on my computer it crashes the whole thing.)

I would suggest removing any write access to users for all the files created un ath5k/debug.c and even read permissions to user and group to be more secure.
Comment 1 Cheng Renquan 2008-11-21 19:32:55 UTC 
I've made a patch to fix it, it's very simple to fix it:

http://marc.info/?l=linux-kernel&m=122732420108666&w=2

but I dont' have that hardware, please test it if you have it.
Comment 2 Jérôme Poulin 2008-11-23 08:41:11 UTC 
I had a similar patch I forgot to attach I submitted to the ath5k tracker but this one is even better because it uses S_I* constants, here is the result of the test;

Before:
p4 sys # ls /sys/kernel/debug/ath5k/phy0/ -l
total 0
-rw-rw-rw- 1 root root 0 2008-11-23 10:41 beacon
-rw-rw-rw- 1 root root 0 2008-11-23 10:41 debug
-r--r--r-- 1 root root 0 2008-11-23 10:41 registers
--w--w--w- 1 root root 0 2008-11-23 10:41 reset
-rw-rw-rw- 1 root root 0 2008-11-23 10:41 tsf

Patch...
p4 sys # cd /usr/src/linux
p4 linux # patch -p1 -i ../linux-2.6.27-gentoo-r1/perm.patch 
patching file drivers/net/wireless/ath5k/debug.c
p4 linux # make modules
...
p4 linux # rmmod ath5k
p4 linux # insmod drivers/net/wireless/ath5k/ath5k.ko

After:
p4 linux # ls /sys/kernel/debug/ath5k/phy1/ -l
total 0
-rw-r--r-- 1 root root 0 2008-11-23 11:39 beacon
-rw-r--r-- 1 root root 0 2008-11-23 11:39 debug
-r--r--r-- 1 root root 0 2008-11-23 11:39 registers
--w------- 1 root root 0 2008-11-23 11:39 reset
-rw-r--r-- 1 root root 0 2008-11-23 11:39 tsf

Seems perfect! Thanks.
Comment 3 Luis Chamberlain 2008-12-01 15:12:00 UTC 
This is fixed by:

commit 66bc446d4fd057310cc6310721c33767e7c0b408
Author: Cheng Renquan <crquan@gmail.com>
Date:   Sat Nov 22 11:22:49 2008 +0800

    ath5k: fix Security issue in DebugFS part of ath5k
    
    http://bugzilla.kernel.org/show_bug.cgi?id=12076
    
    Remove any write access to groups and others, only keep write permission
    to its owner, usually only root user.
    
    Reported-by: Jérôme Poulin <jeromepoulin@gmail.com>
    Signed-off-by: Cheng Renquan <crquan@gmail.com>
    Signed-off-by: John W. Linville <linville@tuxdriver.com>
Comment 4 Luis Chamberlain 2008-12-01 15:12:17 UTC 
It just need to be propagated to the other kernels.